Re: [DNSOP] CPE devices doing DNSSEC

Jim Reid <> Sat, 08 March 2014 11:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B0F41A012A for <>; Sat, 8 Mar 2014 03:47:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RE8UMxII_hPw for <>; Sat, 8 Mar 2014 03:47:29 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9D45E1A0206 for <>; Sat, 8 Mar 2014 03:47:29 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 6EDAC24212F8; Sat, 8 Mar 2014 11:47:23 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jim Reid <>
In-Reply-To: <>
Date: Sat, 8 Mar 2014 11:47:22 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Mark Andrews <>
X-Mailer: Apple Mail (2.1510)
Cc:, Paul Hoffman <>
Subject: Re: [DNSOP] CPE devices doing DNSSEC
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Mar 2014 11:47:31 -0000

On 8 Mar 2014, at 09:00, Mark Andrews <> wrote:

> But they get told to do EPP to talk to the registries.

Correction: some registrars are obliged to use EPP to talk to some registries.

The followup to that is all TLD registries are exactly the same. Except where they are different.

Even in ICANN gTLD-land where everything's supposedly only done with EPP, low-volume registrars tend to use a web GUI rather than bother with an EPP client. The web back-end speaks EPP for them.

That said, even if this WG can come up with a standard for CPE to upload DS records or whatever -- good luck with that -- I am sceptical it will get widespread acceptance or deployment. Just look at the DNS brokenness that's in existing CPE firmware. The vendors simply don't care. They won't care until their customers, the ISPs, make them. An RFC might help. Though let's be realistic in our expectations.