[gtld-tech] Svelte CZDS zone files?

[John R Levine]

>> Changing it to work by AXFR/IXFR would be quite a challenge.
>
> On ICANN’s side, what more would it require standing up a name server 
> and sharing TSIG keys?  If DNS UPDATE were also implemented, it would 
> address the timeliness issue (if the registries were willing to play 
> along).

Due to the three month expiry, I doubt that any two clients have access to 
the same set of zones, which would make ACL management pretty exciting, 
particularly since I believe the credentials are stored in some SSO thing 
from Okta.  There's over a thousand zones and there's certainly over a 
thousand users, so we're talking about ACLs with more than a million 
entries.

Also, based on some of the chatter here, I suspect that a many of of the 
users do not have the expertise to run a secondary DNS server and manage 
TSIGs.  A lot of CZDS users log into a web site and point and click to 
download files.

> Of course, CZDS users would likely need to change their code.  However, 
> this wouldn’t have to be either/or — both could be done with the benefit 
> of using IXFR being only getting the diffs (and, potentially better 
> timeliness).

Viktor and I can do whatever we need to, but I don't think that scales. 
The automatic scripted stuff is somewhat documented for the daily 
downloads, and not at all for all the other stuff like extensions and 
renewals.

Regards,
John Levine, johnl at taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly