Gert, On Wednesday, 2012-09-05 22:01:45 +0200, Gert Doering <gert@space.net> wrote:
Hi,
On Wed, Sep 05, 2012 at 04:53:41PM +0200, Shane Kerr wrote:
On Wednesday, 2012-09-05 15:56:01 +0200, Gert Doering <gert@space.net> wrote:
So, how would you authenticate that I'm authorized or not to have a DNS delegation for 30.195.in-addr.arpa? Without help of the RIPE NCC?
People seem to be able to manage this on the routing side today, so presumably those mechanisms would work here too.
Do they?
What I've seen here that *works* is "query the RIPE DB for the published route(6): objects for a given AS number, and accept that".
Yes, this. :) For the DNS side, it could be something as simple as saying "add the comment $RANDOM_TOKEN as a comment to your DOMAIN object". Or even better, using the PGP or X.509 of the address maintainer to authenticate the request.
But of course it would be even better to have explicit authorization mechanisms. Perhaps the RIRs could develop some sort of address certification technology... ;)
That could be done, yes. Using the PKI tech for "DNSOA" certification - but that smells like much more effort than to just run the DNS servers :-)
The initial authentication - and presumably periodic checks - should come from the RIR. There are a few real benefits that could result from a dedicated DNS service though. The biggest benefit would likely be from a service that was not simply a delegation-only service, but also acted as a DNS hoster, either as the primary or secondary source. Of course you can arrange that on your own today, but one-stop-shopping has some value. Also, a service could work across multiple RIRs, so you could manage your worldwide reverse DNS from a single place. (I admit this is not such a big deal, since there are only a few RIRs and any organization spread across multiple regions won't have a huge problem tracking these details.) In order to work across multiple RIRs, it might need to look a bit like a DNS registrar, rather than a registry, since you may not want a single organization controlling the entire reverse DNS. Again, this isn't a serious proposal. It's less serious than when I propose eliminating reverse DNS altogether, at least. :) -- Shane