Re: [DNSOP] CPE devices doing DNSSEC

Mark Andrews <marka@isc.org> Sat, 08 March 2014 09:01 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2FC1A024C for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 01:01:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAnwLG4opeOz for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 01:01:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 99AD21A023D for <dnsop@ietf.org>; Sat, 8 Mar 2014 01:01:05 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id DE0AEC9493; Sat, 8 Mar 2014 09:00:47 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1394269261; bh=lVM8nbDdGgj4h+exqx2PZMwp4lFz0nHFPQxkbIE7fwA=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=a0Jbaa0RzhJclrRdtQuy8iG2E9vb7ZL87WEDiYmdH8Jb1oQPIRKGroQ1rKZFJmGXV LX1xlMcUEvl7P1TntXNlwWCXXz4pax79JhnRDit5BI0zgJ8wcAUOuWleu2ZL3Czbz1 XDATpmq9tm3KyR9OBtFShUNcQCkz1hbrvhtSNzYM=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Sat, 8 Mar 2014 09:00:47 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 18F5E160056; Sat, 8 Mar 2014 09:01:46 +0000 (UTC)
Received: from rock.dv.isc.org (unknown [149.20.66.86]) by zmx1.isc.org (Postfix) with ESMTPSA id DEF12160049; Sat, 8 Mar 2014 09:01:44 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 5E51210D1595; Sat, 8 Mar 2014 20:00:09 +1100 (EST)
To: Paul Hoffman <paul.hoffman@cybersecurity.org>
From: Mark Andrews <marka@isc.org>
References: <20140307100524.2F42810CD58F@rock.dv.isc.org> <A0D47DA8-6E19-4A61-8A7C-FE960A0FA7E9@cybersecurity.org>
In-reply-to: Your message of "Fri, 07 Mar 2014 17:45:05 -0000." <A0D47DA8-6E19-4A61-8A7C-FE960A0FA7E9@cybersecurity.org>
Date: Sat, 08 Mar 2014 20:00:09 +1100
Message-Id: <20140308090009.5E51210D1595@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/eT70H9gAqWhL4qMrNPguRa2oTN8
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] CPE devices doing DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 09:01:07 -0000

In message <A0D47DA8-6E19-4A61-8A7C-FE960A0FA7E9@cybersecurity.org>rg>, Paul Hoffm
an writes:
> On Mar 7, 2014, at 10:05 AM, Mark Andrews <marka@isc.org> wrote:
> 
> > 	I know Registrars don't like to be told what to do
> 
> +1

But they get told to do EPP to talk to the registries.

They have failed to invent / document a common standard way for
machine updates to work.  They could have quite easily got together
anytime in the last decade and done a standardised update protocol.

But they haven't.  We working in behalf of their customers who are
our customers have to work out a machine-to-machine protocol which
will do the job.  I have customers saying make "DNSSEC simpler".
One of the ways to make it simpler is to automate the updating of
records in the parent zone / parent registry.  We already have a
mechanism to do this for a plain parent zone.

We also have customers that are going to have machines that are not
CPE devices renumbered because ISP's will not guarentee stable
addresses with PD.  This leads to the requirement that one needs
to update glue addresses.  We already have a mechanism to do this
when they parent is a plain nameserver.

It's easy enough to translate

	delete-type
	add 
	add

to JASON

{
	"name" : "example.net",
	"DS" : [
		{
			"rdata" : "...."
		},
		{
			"rdata" : "...."
		}
	]
}

(yes a better jason schema that this is needed but again that is
something that need to be standardised.)

If one says "always send 'delete type' followed by all the records
that should exist" which is the type of UPDATE operations I would
recommend being done by these tools.  The tool could even enforce
it.  It's also easy to translate from Jason to UPDATE.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org