This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] RIR DNS management
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management, was Re: Policy proposal for services to legacy Internet resource holders
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Shane Kerr
shane at time-travellers.org
Thu Sep 6 11:55:23 CEST 2012
Gert, On Wednesday, 2012-09-05 22:01:45 +0200, Gert Doering <gert at space.net> wrote: > Hi, > > On Wed, Sep 05, 2012 at 04:53:41PM +0200, Shane Kerr wrote: > > On Wednesday, 2012-09-05 15:56:01 +0200, > > Gert Doering <gert at space.net> wrote: > > > So, how would you authenticate that I'm authorized or not to have > > > a DNS delegation for 30.195.in-addr.arpa? Without help of the > > > RIPE NCC? > > > > People seem to be able to manage this on the routing side today, so > > presumably those mechanisms would work here too. > > Do they? > > What I've seen here that *works* is "query the RIPE DB for the > published route(6): objects for a given AS number, and accept that". Yes, this. :) For the DNS side, it could be something as simple as saying "add the comment $RANDOM_TOKEN as a comment to your DOMAIN object". Or even better, using the PGP or X.509 of the address maintainer to authenticate the request. > > But of course it would be even better to have explicit authorization > > mechanisms. Perhaps the RIRs could develop some sort of address > > certification technology... ;) > > That could be done, yes. Using the PKI tech for "DNSOA" > certification - but that smells like much more effort than to just > run the DNS servers :-) The initial authentication - and presumably periodic checks - should come from the RIR. There are a few real benefits that could result from a dedicated DNS service though. The biggest benefit would likely be from a service that was not simply a delegation-only service, but also acted as a DNS hoster, either as the primary or secondary source. Of course you can arrange that on your own today, but one-stop-shopping has some value. Also, a service could work across multiple RIRs, so you could manage your worldwide reverse DNS from a single place. (I admit this is not such a big deal, since there are only a few RIRs and any organization spread across multiple regions won't have a huge problem tracking these details.) In order to work across multiple RIRs, it might need to look a bit like a DNS registrar, rather than a registry, since you may not want a single organization controlling the entire reverse DNS. Again, this isn't a serious proposal. It's less serious than when I propose eliminating reverse DNS altogether, at least. :) -- Shane -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: </ripe/mail/archives/ncc-services-wg/attachments/20120906/159b932e/attachment.sig>
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management, was Re: Policy proposal for services to legacy Internet resource holders
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]