<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Apparently I didn't include the DNS script library link mentioned
in my note. Sorry.</p>
<p><a moz-do-not-send="true"
href="https://github.com/srvrco/getssl/tree/master/dns_scripts"
class="moz-txt-link-freetext">https://github.com/srvrco/getssl/tree/master/dns_scripts</a><br>
</p>
<p>On 29-Dec-22 13:45, Peter wrote:</p>
<blockquote type="cite"
cite="mid:Y63gSAM2FVCGIAED@disp.intra.daemon.contact">
<pre class="moz-quote-pre" wrap="">On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
! (Manual processes
! are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 -
! has been so slow is unfortunate.)
Seconded. Do You have information about this moving at all? Because to
me it looks very much like dead-in-the-water, and my registrar didn't
even know what that is.
Otherwise I would have perfect automation for continuous rollover -
but still I have to either hack the data into their webinterface, or
figure out what kind of crappy api they might have - and in my view the
first option is boring and the second is superfluous work.
cheerio,
PMc</pre>
</blockquote>
<p>Yup, Eric's case was a classic example. He tried to do the right
thing, put in the wrong record, and the system didn't produce the
expected results. To his credit, he persisted. Most people
don't. A while ago there was a study (<a moz-do-not-send="true"
href="https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/">cloudflare/APNIC</a>)
that showed that about only about 40% of people who enabled DNSSEC
for their accounts successfully served DS records in their
registry.<br>
</p>
<p>There are some registrars and registries who support CDS/CDNSKEY
(RFC7344/8078). Unfortunately, not enough.</p>
<p>I don't track it closely, but here are a few who claim support
when last I looked.<br>
</p>
<p>.cz, .ch ,.li, .ne, .se, .sk <br>
</p>
<p>DNSSimple, domainnameshop</p>
<p>GoDaddy publishes CDS and CDNSKEY when it manages DNSSEC, but
doesn't poll when delegated. I don't think they bridge (poll
& then use EPP for domain registries that don't poll.) <br>
</p>
<p>Cloudflare was an advocate, and has published for a long time.
Again, the issue is registries.</p>
<p><a href="https://github.com/oskar456/cds-updates"
class="moz-txt-link-freetext" moz-do-not-send="true">https://github.com/oskar456/cds-updates</a>
has a list that seems more current. Note that none of the big 13
are on it - .com, .net, .org, .info, .gov, .edu, ...</p>
<p>There are hybrid approaches. Most of the registrars have some
sort of proprietary API that allows a script to
insert/delete/modify records. So you can let BIND generate them
and script the registry updates. But it's ad-hoc for each
registrar.</p>
<p>For some idea of what a mess that is, here is a library of DNS
update scripts for a number of registrars (used by a LetsEncrypt
script, but the aggravation/diversity is the same).</p>
<p>I suspect that to get any forward progress, someone will have to
come up with a business case that shows why the registries should
take action. Or get ICANN to mandate it. There are various user
constituencies in ICANN, but that's a highly political process.</p>
<p>So much like DNSSEC itself, the technology is there, but the will
to use it everywhere it's needed is not.</p>
<p>(I'm not involved with any of the players, aside from reviewing
the RFC drafts. Just an interested, and frustrated, observer.)<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<br>
<div id="grammalecte_menu_main_button_shadow_host" style="width:
0px; height: 0px;"></div>
</body>
</html>