[ncc-services-wg] RIR DNS management
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management, was Re: Policy proposal for services to legacy Internet resource holders
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Shane Kerr
shane at time-travellers.org
Thu Sep 6 11:55:23 CEST 2012
Gert, On Wednesday, 2012-09-05 22:01:45 +0200, Gert Doering <gert at space.net> wrote: > Hi, > > On Wed, Sep 05, 2012 at 04:53:41PM +0200, Shane Kerr wrote: > > On Wednesday, 2012-09-05 15:56:01 +0200, > > Gert Doering <gert at space.net> wrote: > > > So, how would you authenticate that I'm authorized or not to have > > > a DNS delegation for 30.195.in-addr.arpa? Without help of the > > > RIPE NCC? > > > > People seem to be able to manage this on the routing side today, so > > presumably those mechanisms would work here too. > > Do they? > > What I've seen here that *works* is "query the RIPE DB for the > published route(6): objects for a given AS number, and accept that". Yes, this. :) For the DNS side, it could be something as simple as saying "add the comment $RANDOM_TOKEN as a comment to your DOMAIN object". Or even better, using the PGP or X.509 of the address maintainer to authenticate the request. > > But of course it would be even better to have explicit authorization > > mechanisms. Perhaps the RIRs could develop some sort of address > > certification technology... ;) > > That could be done, yes. Using the PKI tech for "DNSOA" > certification - but that smells like much more effort than to just > run the DNS servers :-) The initial authentication - and presumably periodic checks - should come from the RIR. There are a few real benefits that could result from a dedicated DNS service though. The biggest benefit would likely be from a service that was not simply a delegation-only service, but also acted as a DNS hoster, either as the primary or secondary source. Of course you can arrange that on your own today, but one-stop-shopping has some value. Also, a service could work across multiple RIRs, so you could manage your worldwide reverse DNS from a single place. (I admit this is not such a big deal, since there are only a few RIRs and any organization spread across multiple regions won't have a huge problem tracking these details.) In order to work across multiple RIRs, it might need to look a bit like a DNS registrar, rather than a registry, since you may not want a single organization controlling the entire reverse DNS. Again, this isn't a serious proposal. It's less serious than when I propose eliminating reverse DNS altogether, at least. :) -- Shane -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/ncc-services-wg/attachments/20120906/159b932e/attachment.sig>
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management, was Re: Policy proposal for services to legacy Internet resource holders
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]