Re: [ietf-provreg] DNSSEC EPP Extension (RFC 4310) UsabilityQuestion

[Andrew Sullivan <ajs@shinkuro.com>]

Hi,

On Sun, Dec 28, 2008 at 12:35:48PM -0500, Gould, James wrote:
> 
> Overall, I believe that the inability to do both an add and remove
> in RFC 4310 is an oversight that should be addressed to be
> consistent with the rest of the EPP specifications and to ensure
> transactional consistency, but I'm not sure if it is bad enough to
> warrant the process to make the change on its own.  Based on the
> provreg e-mail list it doesn't look like anyone beliefs that it does
> warrant a change to RFC 4310 at this point (other than maybe me), so
> if there is anyone out there that believes that it does please reply
> to the list.

I think it does, and I'm willing to work on such changes.  I do worry
about the operational effects of performing add and remove at the same
time: it seems to me to be the sort of thing that could take a domain
dark. 

There's an additional issue in this area that's troubling to me, which
has to do with domain transfers in a DNSSEC context, particularly in
cases where the private keys for the two sponsors can't be shared
(imagine the case where the two sponsors are each involved in
operating the DNS for the target domain; in this case, they're not
going to share private keys with one another).  It seems to me that in
such a case, a sponsor needs to be able to add a DS record to a domain
object when the sponsor doesn't actually own the domain.  This is
problematic, because obviously we don't want random others being able
to add properties to the objects one sponsors.  It would be possible
to allow this while a transfer is pending, but often there are various
prohibitions on such a domain, and perhaps those will conflict with
the ability of the gaining sponsor to add properties to the
prospectively-transferred domain.  Thoughts?

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.