To:
Klaus Malorny <Klaus.Malorny@knipp.de>
Cc:
James Gould <jgould@verisign.com>, Patrick Mevzek <provreg@contact.dotandco.com>, EPP Provreg <ietf-provreg@cafax.se>
From:
=?WINDOWS-1252?Q?Patrik_F=E4ltstr=F6m?= <paf@cisco.com>
Date:
Fri, 12 Dec 2008 10:52:44 +0100
Authentication-Results:
ams-dkim-2; header.From=paf@cisco.com; dkim=pass (sig from cisco.com/amsdkim2001 verified; );
DKIM-Signature:
v=1; a=rsa-sha256; q=dns/txt; l=757; t=1229075576; x=1229939576;c=relaxed/simple; s=amsdkim2001;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=paf@cisco.com;z=From:=20=3D?WINDOWS-1252?Q?Patrik_F=3DE4ltstr=3DF6m?=3D=20<paf@cisco.com>|Subject:=20Re=3A=20[ietf-provreg]=20DNSSEC=20EPP=20Extension=20(RFC=204310)=20Usability=20Question|Sender:=20;bh=RZUEml3aDtYcBwaAKF3hPSlsxdnAR2t3Fa55JIozpZg=;b=sPYBVXe4dlaWDuMePaenv+M7rbMPXjsIQABywsw2cBVzQkvshBxErtsAaNhYcHJD0tZFyXjdv0cIqWPY6NCelxL8X2iwVHVoSX7t7Giz0/ulaoU0nNnKcVcnn5kCxSBQ;
In-Reply-To:
<49422D8D.50106@knipp.de>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] DNSSEC EPP Extension (RFC 4310) Usability Question
On 12 dec 2008, at 10.23, Klaus Malorny wrote:
> Shouldn't the name server operator get a separate out-of-the-band
> channel to the registry operator to submit the DS data directly, for
> example with a subset of RFC 4931/RFC 4310? Any comments on this?
My immediate reaction is "no". There is the same attack vector as
changes in NS records or glue. I think the DS data should definitely
follow the same path as other domain related data.
That said, the registry can easily do some checks and balances
calculation when the data arrive -- before the zone is published. Just
like they can check glue, that servers are auth etc, they can also
check the KSK in the child zone that it matches the DS passed to them.
Patrik