RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)
Timothe Litt
litt at acm.org
Thu Dec 29 21:34:19 UTC 2022
Apparently I didn't include the DNS script library link mentioned in my
note. Sorry.
https://github.com/srvrco/getssl/tree/master/dns_scripts
On 29-Dec-22 13:45, Peter wrote:
> On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
>
> ! (Manual processes
> ! are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 -
> ! has been so slow is unfortunate.)
>
> Seconded. Do You have information about this moving at all? Because to
> me it looks very much like dead-in-the-water, and my registrar didn't
> even know what that is.
>
> Otherwise I would have perfect automation for continuous rollover -
> but still I have to either hack the data into their webinterface, or
> figure out what kind of crappy api they might have - and in my view the
> first option is boring and the second is superfluous work.
>
> cheerio,
> PMc
Yup, Eric's case was a classic example. He tried to do the right thing,
put in the wrong record, and the system didn't produce the expected
results. To his credit, he persisted. Most people don't. A while ago
there was a study (cloudflare/APNIC
<https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/>)
that showed that about only about 40% of people who enabled DNSSEC for
their accounts successfully served DS records in their registry.
There are some registrars and registries who support CDS/CDNSKEY
(RFC7344/8078). Unfortunately, not enough.
I don't track it closely, but here are a few who claim support when last
I looked.
.cz, .ch ,.li, .ne, .se, .sk
DNSSimple, domainnameshop
GoDaddy publishes CDS and CDNSKEY when it manages DNSSEC, but doesn't
poll when delegated. I don't think they bridge (poll & then use EPP for
domain registries that don't poll.)
Cloudflare was an advocate, and has published for a long time. Again,
the issue is registries.
https://github.com/oskar456/cds-updates has a list that seems more
current. Note that none of the big 13 are on it - .com, .net, .org,
.info, .gov, .edu, ...
There are hybrid approaches. Most of the registrars have some sort of
proprietary API that allows a script to insert/delete/modify records.
So you can let BIND generate them and script the registry updates. But
it's ad-hoc for each registrar.
For some idea of what a mess that is, here is a library of DNS update
scripts for a number of registrars (used by a LetsEncrypt script, but
the aggravation/diversity is the same).
I suspect that to get any forward progress, someone will have to come up
with a business case that shows why the registries should take action.
Or get ICANN to mandate it. There are various user constituencies in
ICANN, but that's a highly political process.
So much like DNSSEC itself, the technology is there, but the will to use
it everywhere it's needed is not.
(I'm not involved with any of the players, aside from reviewing the RFC
drafts. Just an interested, and frustrated, observer.)
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/2426d315/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/2426d315/attachment-0001.sig>
More information about the bind-users
mailing list