[dnssec-coord] Dec 5th DNSSEC Coordination Call - special topic: APIs into DNS operators?

Edward Lewis ed.lewis at neustar.biz
Thu Jan 2 07:46:01 PST 2014


The basic ingredient to:

> Beyond that, though, we'd like to explore what might be possible to explore in terms of APIs that could be developed to help various (authorized!) parties to more easily input data into DNS zone files maintained by DNS operators.  This came up in a recent conversation with Steve Crocker, Wes Hardaker, Paul Kretkowski and myself.  The context was that for people to truly start using DANE on a large scale, particularly for, say, communication mechanisms (ex. suppying certs for 1,000 IM or VoIP endpoints versus just supplying the TLS cert for a single website) there needs to be an easy way to upload records for devices into a DNS operator's database without having to use web interfaces or similar such manual processes.

Is the unknown record types.  The technical side of this is the ability for someone to enter "TYPE##" and the hex of the RDATA, this is generally not available.  The non-technical hurdle is getting operators to be willing to host records "they don't understand" - and I'll stress that is a valid concern.

I'm throwing this in now because it's 15 minutes to the call and I don't think the WebEx/phone information is available. ;)  Maybe I missed....

On Nov 13, 2013, at 16:21, Dan York wrote:

> DNSSEC-Coord members,
> 
> Our next call will be on Thursday, December 5, 2013, at our usual time of 17:00 UTC / 11:00 US Eastern.  My current expectation is that we'll have at least these topics to talk about:
> 
> - Outcome of ICANN 48 DNSSEC Workshop that happens Nov 20
> - Root Key Rollover guidance document that was just released by SSAC
> - Updates on generation of DNSSEC deployment maps
> - Activities to encourage people to use tools to help measure DNSSEC validation
> 
> Beyond that, though, we'd like to explore what might be possible to explore in terms of APIs that could be developed to help various (authorized!) parties to more easily input data into DNS zone files maintained by DNS operators.  This came up in a recent conversation with Steve Crocker, Wes Hardaker, Paul Kretkowski and myself.  The context was that for people to truly start using DANE on a large scale, particularly for, say, communication mechanisms (ex. suppying certs for 1,000 IM or VoIP endpoints versus just supplying the TLS cert for a single website) there needs to be an easy way to upload records for devices into a DNS operator's database without having to use web interfaces or similar such manual processes.
> 
> Now there are some aspects of this that are not purely technical - if you could put a record into a zone file via an API, how rapidly should the DNS operator publish that zone?  What kind of SLAs might need to be in place?  
> 
> But outside of those operational considerations, what could an API look like for this?  What code could be written to support it?  Who might be interested in testing it out?  What would the barriers be to getting something like this deployed?
> 
> Note that our particular interest was for DNSSEC-related records, but such an API could be useful for any DNS records. 
> 
> Are there already APIs out there that could be used for this?  Is the issue then getting DNS operators to offer this API for customers to use?  What could be done to help with that?
> 
> Ideas, suggestions, comments are definitely welcome anytime in advance of the meeting... and in the meeting we'd like to get some discussion around this topic and see what could be done.
> 
> Dan
> 
> P.S. Any other topics people want to bring up for the Dec 5th meeting?
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

Why is it that people who fear government monitoring of social media are
surprised to learn that I avoid contributing to social media?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20140102/8e0f37c7/attachment.htm>


More information about the dnssec-coord mailing list