To:
James Gould <jgould@verisign.com>
CC:
Patrick Mevzek <provreg@contact.dotandco.com>, EPP Provreg <ietf-provreg@cafax.se>
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Fri, 12 Dec 2008 10:23:25 +0100
In-Reply-To:
<C5669512.2FBFD%jgould@verisign.com>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1b3pre) Gecko/20081210 Shredder/3.0b2pre
Subject:
Re: [ietf-provreg] DNSSEC EPP Extension (RFC 4310) Usability Question
On 12/11/2008 03:59 PM, James Gould wrote: > [...] > > There is also the issue of transfers. What happens when a signed domain > is transferred to another Registrar? Does the DS data transfer along > with it or does it get cleared. I’m assuming that it would be > transferred along in a similar model as the name servers. It is up to > the gaining Registrar to update the name servers and DS data assuming > that the hosting is changing along with the transfer. > [...] The DS data is not a separate object, but part of the domain object, so there is no question that it shall be transferred along with the domain itself. Also it is doubtless that the data MAY NOT be cleared. But this brings me to another question which I have already discussed with various people, but with no real satisfying answer yet. Maybe this list is not the right place for this question neither, but does the management of the DS data via the whole reseller-registrar chain suffice the security needs of the DNSSEC infrastructure? As the name server operator is not necessarily even in this chain, there could be weak links, attack vectors that could void the security gained by the DNSSEC protocol itself. Shouldn't the name server operator get a separate out-of-the-band channel to the registry operator to submit the DS data directly, for example with a subset of RFC 4931/RFC 4310? Any comments on this? Regards, Klaus