[dns-wg] RFC 7344 support in the RIPE database

Hi Tony, Jim, all,

thank you for your interest in automatic updates of DS records in the
RIPE database. My piece of (slightly) running code is growing here:

https://github.com/oskar456/ripe_db_ds_updater

As I said, it is a very early version, not even alpha, but hopefully it
will evolve in the future.

In my opinion, the implementation of RFC 7344 in RIPE DB should follow
similar principles like this tool, that means:

 - opt-in basis – we expect some level of knowledge for DNSSEC reverse
zones operators; scanning the whole delegation space regularly would be
pretty futile job, at least with the current status of DNSSEC in the
reverse address space*

 - no support for insecure to secure bootstrapping (RFC 8078) - if this
automatic management is opt-in, during opting in, the user should also
bootstrap the first DS

The exact procedure of opting in is an implementation detail. I
personally pretty like the idea of special mntner, because it also
stresses the fact that actual object can be modified without of the
consent of the regular mntner. Other solution would be to move
automatically-managed data out of the database, so the database object
would not get modified with every DS update.

-- 
Best regards

Ondřej Caletka

*) I don't have any numbers, but I expect the adoption ratio is pretty low.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3718 bytes
Desc: Elektronicky podpis S/MIME
URL: </ripe/mail/archives/dns-wg/attachments/20181017/bf50059b/attachment.p7s>