Re: [DNSOP] Looking for panelists for DNSSEC provisioning session at Cancún ICANN meeting in March
sivasubramanian muthusamy <6.internet@gmail.com> Mon, 27 January 2020 15:44 UTC
Return-Path: <6.internet@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D43412087B for <dnsop@ietfa.amsl.com>; Mon, 27 Jan 2020 07:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d7MYCu-5SvR9 for <dnsop@ietfa.amsl.com>; Mon, 27 Jan 2020 07:44:49 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3B651208C8 for <DNSOP@ietf.org>; Mon, 27 Jan 2020 07:44:48 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id cy15so11252970edb.4 for <DNSOP@ietf.org>; Mon, 27 Jan 2020 07:44:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WagXYdepIO8KVxewDKeRaxPj3+MMV6+WaN0OGLGyiyU=; b=qY2a9enqjp7q2FmA47FVCt5ldmdkRuxabFaSjJ2JjbebVLMjwa4tZXnLbQTsld0qxD ssMKNXsoZoZentuflpvk3k+5AYTdm9vCzjfReQrNRjzbiC1QIbYwR6bgHnYzr2EzKIP4 OqdDX2PSv7mb7Ji9c5/Emq2fLwxPYepx8hmMU3vNzs0tb1DfkjREXvQSvB9a0soE2Iln YZWE4HuNVpxyGoN5pzWy99qW3SbDj0sQF/g1VdFhh8ClPHTLdfQY1wXMDNQT2sxfvePg v1qsm+QrTI+jn4htSi8ZiC32omiTngqSLLkkKz2AgAAmG67V88c7tZkuiy6dXj+x/5Pp ziyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WagXYdepIO8KVxewDKeRaxPj3+MMV6+WaN0OGLGyiyU=; b=AvqGHQAF/eycvXVQPx+F0uihilEp5q6iJBOaBGv1Et6HG76Sw1gelWDxgiowLA5fA4 x5RtUWZVtVVviizZP1jHWBcfpVN5ezh8uTooqgDwIODuF+1YbU49lIzc6uk3x1rLHEhB U06yOhHCsiC/rm3ItXBn5IGrlH1O61HSPdnzCTH9wewsIpu2pgfEiOwswLXD/f6+jP8t eI2C4/J+sqBUvppEcwynxpl7WwK2U+D0s8PPyB6SjHTF4ONySl57F8/P5VO20EY9OV1w ivlInoZOyrA2sFYoZG3U/1uTjSDLfzBOPlvZ1JT/RU6FriIhC2e+boMNwV/sthbjU5ey 7MEQ==
X-Gm-Message-State: APjAAAUT9+4J1FXEMBTxMTuWC/GKCX8Ysj9JiZ2d/mbF7I9GMd4CweYX WJl6OOI+5L+5Zqw0ElXu41ESjuo5IAO14Q1dj/E=
X-Google-Smtp-Source: APXvYqwqV4Qfmy9BRna6e1yAYYcbXlzODPPPmSt2zmEvMYgXpOphy6WlZRiMGfLTdMs2beomJyfJqfh71yB/n7CwuBI=
X-Received: by 2002:a17:906:494d:: with SMTP id f13mr13878968ejt.95.1580139887289; Mon, 27 Jan 2020 07:44:47 -0800 (PST)
MIME-Version: 1.0
References: <CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3=8NuCRezamGXCRg@mail.gmail.com>
In-Reply-To: <CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3=8NuCRezamGXCRg@mail.gmail.com>
From: sivasubramanian muthusamy <6.internet@gmail.com>
Date: Mon, 27 Jan 2020 21:13:06 +0530
Message-ID: <CAKsgsGx0zSjLAF7ysACNgjXM-Hm+BJTaOLzRrCia-Xxz4OV_8w@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Cc: dnsop <DNSOP@ietf.org>, DNSSEC Provisioning <dnssec-provisioning@shinkuro.com>, DNSSEC Coordination <dnssec-coord@elists.isoc.org>, "dns-operations@lists.dns-oarc.net" <dns-operations@dns-oarc.net>
Content-Type: multipart/alternative; boundary="000000000000ad67a7059d20fc0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uLaIXZqWWVw4Pw9VxekLa2BZ5f4>
Subject: Re: [DNSOP] Looking for panelists for DNSSEC provisioning session at Cancún ICANN meeting in March
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 15:44:54 -0000
On Mon, Jan 27, 2020, 20:52 Steve Crocker <steve@shinkuro.com> wrote: > Folks, > > > I am organizing a panel session within the DNSSEC Workshop during > the upcoming ICANN meeting in Cancún in March on the subject of DNSSEC > provisioning. There are two related but somewhat distinct topics. One is > the update of the DS record when the DNS provider rolls the key. The other > is how multiple DNS providers coordinate when each is signing the zone. > Various proposals exist to solve each of these problems, but none has been > fully accepted, and each suffers from a gap in the provisioning process. > > > Depending on who is on the panel and we can cover either both topics or > just the first topic. I also intend to organize a session on these topics > in Paris in May at the ICANN Global Domains Division Summitt and/or the DNS > Symposium. Also, the dnssec-provisioning@shinkuro.com mailing list is > specific devoted to these two topics. > > > Please let me know if you're interested in participating and if you have a > position on how to address these problems. > > > *Details* > > > What is the path forward for automating solutions to these two > provisioning problems? Are new protocols needed? What changes are > required of registrars, DNS providers and/or registries? > > > > With respect to updating DS records, the solution space is basically a two > by two matrix, with a subordinate third dimension: > > - Are new DS records pushed upward, i.e. is the transmission initiated > by the DNS provider, or are new DS records pulled upward by the registry or > registrar? > > - Is the registry or the registrar involved on the upper end of the > transmission? > > > The subordinate third dimension is whether the KSK, DS or both are > communicated. > > > The solution in RFC 8078 is the pull/registry solution with support for > both KSK and DS. It was developed by a couple of DNS providers and is on > the IETF standards track, but, so far as I can tell, is being adopted by a > relatively few ccTLDs and is not gaining any traction within the gTLD > community. In contrast, GoDaddy has suggested its Domain Connect software > could be extended to allow a push/registrar solution for DS updates. > > > > With respect to coordination among multiple DNS providers, Shumon Huque, > et al's Internet-Draft https://tools.ietf.org/html/draft-ietf-dnsop-multi-provider-dnssec-01 > [tools.ietf.org] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Ddnsop-2Dmulti-2Dprovider-2Ddnssec-2D01&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=_qSa12UaM5Nl6sbpmBZnYyeUu-qJt2ubgQJechcqldM&m=zQDYr_jJSOyuDOEF5tU7f-JhexPBRkY5Clkb6Rn9m3s&s=eH4Q6Yxg9dNg2IRqEmEWewca-7dYhKmHKbAZyCP7yHg&e=> sets > for a scheme for multiple DNS providers to coordinate cross-signing of the > same zone when it's served from multiple providers. > > > > I have both a general and a specific interest in this. The general > interest is in seeing some sort of solution be adopted in order to > facilitate smoother operation and greater adoption of DNSSEC. My specific > interest is a guess that if the registrant could add the names of his DNS > providers into the registration details, it would make both of these > coordination processes much easier. > On the point immediately above: I am a Registrant, with five or six of my own domain names under a "Reseller" account which manages only these few accounts. I have found creation of various DNS/Mx records, some in the Domain Control panel, and some in the Web hosting control panel to be tasks that are not 'user-friendly' for the average Registrant. Besides, with a view to avoid errors that might interfere with the site's functionality, I have always found it convenient to ask the Master reseller to create / update all necessary records. Is there a way of making these tasks expected of the Registrant to be as easy as ordering icecream from an online icecream vendor? Or come up with an alternate method of enabling the non-technical Registrant (for this purpose, over 90% of the global Internet users) to maintain and announce their DNS records as good as an advanced expert does? Sivasubramanian M > Thanks, > > > Steve Crocker > > -- > You received this message because you are subscribed to the Google Groups > "DNSSEC Provisioning" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dnssec-provisioning+unsubscribe@shinkuro.com. > To view this discussion on the web visit > https://groups.google.com/a/shinkuro.com/d/msgid/dnssec-provisioning/CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3%3D8NuCRezamGXCRg%40mail.gmail.com > <https://groups.google.com/a/shinkuro.com/d/msgid/dnssec-provisioning/CABf5zvLpW6MYR-oeAEw9wjxg9AmUGh3hRN3%3D8NuCRezamGXCRg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . >
- [DNSOP] Looking for panelists for DNSSEC provisio… Steve Crocker
- Re: [DNSOP] Looking for panelists for DNSSEC prov… sivasubramanian muthusamy