On Oct 15, 2019, at 10:36 PM, Mark Andrews <marka(_at_)isc(_dot_)org> wrote:
Well when the delegation was initially registered credential where exchanged
even if that was a user name / password pair. This allowed NS records and
glue address records to be updated securely. Updating/adding DS records is no
different. You use the existing mechanisms, initially this was talking to the
registry directly. These days it is intermediated through a registrar.
Yes, but as you're well aware, with DNSSEC users need a standard
interface that enables automation of KSK/DS updates, and the extra
hop through the registrar is rather a major obstacle. Also,
in many cases the DNS zone operator needs to be empowered to
do key management, without necessarily having full control of
the zone for transfers, ...
Perhaps it should be possible for the user to obtain from a token
that authorizes a key pair for direct access to the registry for
(purposes of DS RR updates) by the holder of the keypair. The
token (and associated key) might then be delegated to the DNS
That token is presently a signed CDS/CDS0 record, which handles
everything but initial enrollment (bootstrapping), for which
..CZ, .CH, et. al. are exploring ToFU approaches.
ietf-smtp mailing list