To:
Olafur Gudmundsson <ogud@ogud.com>
CC:
EPP Provreg <ietf-provreg@cafax.se>
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Mon, 22 Dec 2008 15:25:17 +0100
In-Reply-To:
<200812181509.mBIF9Cs5085707@stora.ogud.com>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1b3pre) Gecko/20081221 Shredder/3.0b2pre
Subject:
Re: [ietf-provreg] DNSSEC EPP Extension (RFC 4310) Usability Question
On 18/12/08 16:08, Olafur Gudmundsson wrote: >> The DS data is not a separate object, but part of the domain object, >> so there is no question that it shall be transferred along with the >> domain itself. Also it is doubtless that the data MAY NOT be cleared. > > Clearing DS is what you do when child stops using DNSSEC, thus it must > be allowed. > Sure -- I expressed myself unclear. I meant that they should not be cleared as a side effect of transfers, as a transfer not necessarily means that the domain is moved to a new name server operator and/or to a new set of name servers. > > [...] > > The important question that registries need to ask them self is > "Does the DS record in the EPP update the data go into the registry or > does it only go in if/after the child's DNSKEY RRset has a key that > matches the DS record?" A pre-check may reduce the risk of human/machine errors that either make the domain unsigned or suggest the domain being compromised. But it seems to me that it does not improve security in general. Thinking a little bit more of my question after your and Patrick's answers, I have to admit that it is probably not a good idea -- first, the establishment and management of this channel is a problem. If one would not trust the registrar/reseller chain enough, this separate channel could not be created/maintained using their credibility. However, alternative solutions are likely hard to find. Second, name server assignment/host management would need to be moved to the name server operators as well. This sounds like a big responsibility mess. Regards, Klaus