Tony, On 10/06/2019 17.44, Tony Finch wrote:
Shane Kerr <shane@time-travellers.org> wrote:
The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one.
I couldn't find out how to use the policy process to get RFC 7344 CDS automation in place :-(
Shortly before RIPE 75 people (including yourself) called for CDS/CDNSKEY support: https://labs.ripe.net/Members/anandb/the-future-of-dnssec-at-the-ripe-ncc At RIPE 77, Anand mentioned that the RIPE NCC was thinking about CDS/CDNSKEY, but wanted some discussion beforehand: https://ripe77.ripe.net/wp-content/uploads/presentations/137-RIPE77_DNS_Upda... You again asked for support of CDS/CDNSKEY during the meeting itself. The RIPE NCC recently announced at RIPE 78 that they now support RFC 8078 for reverse DNS: https://ripe78.ripe.net/presentations/138-138-RIPE78_DNS_Update.pdf This is only for updates (and I guess removals?) of DS records; the initial delegation has to be done manually. It seems like everything worked pretty well to me, although I suppose one could argue that the wait was too long. I'm not sure that we need any more policies than what we have. Of course, if the goal was ADDING of DS records, then I admit that the system is not there. I can see the benefit of being able to add DS records to the parent via CDS/CDNSKEY, especially for operators trying to secure (for example) reverse DNS for lots of /24's. Is this important to you (or anyone else)? Cheers, -- Shane