Re: [DNSOP] On Powerbind

Paul Vixie <> Wed, 15 April 2020 00:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A3283A1369 for <>; Tue, 14 Apr 2020 17:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JsS1VCXcAETr for <>; Tue, 14 Apr 2020 17:30:01 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAD973A1368 for <>; Tue, 14 Apr 2020 17:30:01 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 2E46FB074A for <>; Wed, 15 Apr 2020 00:30:01 +0000 (UTC)
From: Paul Vixie <>
To: dnsop <>
Date: Wed, 15 Apr 2020 00:30:00 +0000
Message-ID: <4114089.Lb5rXcgMSS@linux-9daj>
Organization: none
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [DNSOP] On Powerbind
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Apr 2020 00:30:03 -0000

a bit in the parent (DS RRset) to say this delegation point is itself 
delegation-only would be more interesting. perhaps a way to assure compliance 
with a contract, thus preventing any ambiguity along the lines of 

but a bit in the apex (DNSKEY RRset) is still interesting, as a declaration of 
intent, which is easily monitored to find out if that intent changes, and to 
allow widespread alarms if that intent isn't lived. one can imagine breakins 
at the registry or registrar which would have the power to insert new children 
but not the power to change the apex DNSKEY.

a mature system would explicitly support this kind of live second-set-of-eyes.