Re: [DNSOP] CDS Bootstrapping for vanity DNS servers Wed, 22 June 2022 03:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D2B53C14F74E for <>; Tue, 21 Jun 2022 20:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gwX6Z4pBubpb for <>; Tue, 21 Jun 2022 20:29:50 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A30EC14F74C for <>; Tue, 21 Jun 2022 20:29:49 -0700 (PDT)
Received: from (unknown []) (Authenticated sender: rubens) by (Postfix) with ESMTPSA id 8D5A6BD031; Wed, 22 Jun 2022 00:29:46 -0300 (-03)
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_B476C465-F072-4551-A824-65C31F3D0F18"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Wed, 22 Jun 2022 00:29:45 -0300
In-Reply-To: <20220622030749.83A5343F6B20@ary.qy>
To: John Levine <>
References: <20220622030749.83A5343F6B20@ary.qy>
X-Mailer: Apple Mail (2.3696.100.31)
X-Spamd-Result: default: False [-4.50 / 15.00]; BAYES_HAM(-2.80)[99.15%]; SIGNED_PGP(-2.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; ASN(0.00)[asn:27699, ipnet:, country:BR]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; FROM_NO_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; ARC_NA(0.00)[]
X-Rspamd-Queue-Id: 8D5A6BD031
Archived-At: <>
Subject: Re: [DNSOP] CDS Bootstrapping for vanity DNS servers
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jun 2022 03:29:54 -0000

> On 22 Jun 2022, at 00:07, John Levine <> wrote:
> It appears that  <> said:
>> -=-=-=-=-=-
>> Hi.
>> During a meeting today of ROW (, the I-D on CDS bootstrapping by using a DNSSEC-signed name at name server
>> zone ( was discussed.
>> In that discussion, it was mentioned that the current draft only supports out-of-bailiwick name servers; I replied that the
>> same principle could be applied to in-bailiwick name server by usage of the reverse DNS zones for IPv4 and IPv6.
> Urrgh. In principle, you can put anything you want in a reverse zone.
> (Send mail to and it'll work.)

That's my recollection as well, but as the saying goes, code is law. Although in this case only registry/registrar and DNS operator are required to interoperate for the bootstrapping process.

> In practice, I doubt that enough reverse zones are signed or that the
> provisoning crudware that people use for reverse zones would work
> often enough to be worth trying to do this. I did some surveys of
> zones and found that in-bailiwick NS are quite uncommon, only a few
> percent of the ones in large gTLDs.

I don't expect the IP space used for DNS servers to be managed thru an IPAM system of sorts. But if one is used, it's unlikely they provision a zone-cut as required in the draft.

The prevalence among the overall DNS system is indeed low, but I wonder what % this represents within services that allow all of DNSSEC, CDS Bootstrapping and in-bailiwick DNS servers, like Business and Enterprise plans in Cloudflare: <> .

Or if supporting this type of DNS servers can help the adoption of this draft for the 99.9% use case of out-of-bailiwick servers. If not, we could be adding a new piece to the DNS Camel...