Re: [ietf-provreg] DNSSEC EPP Extension (RFC 4310) Usability Question

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 9:44 -0500 12/29/08, Andrew Sullivan wrote:

>There's an additional issue in this area that's troubling to me, which
>has to do with domain transfers in a DNSSEC context, particularly in
>cases where the private keys for the two sponsors can't be shared
>(imagine the case where the two sponsors are each involved in
>operating the DNS for the target domain; in this case, they're not
>going to share private keys with one another).  It seems to me that in
>such a case, a sponsor needs to be able to add a DS record to a domain
>object when the sponsor doesn't actually own the domain.  This is
>problematic, because obviously we don't want random others being able
>to add properties to the objects one sponsors.  It would be possible
>to allow this while a transfer is pending, but often there are various
>prohibitions on such a domain, and perhaps those will conflict with
>the ability of the gaining sponsor to add properties to the
>prospectively-transferred domain.  Thoughts?

What do you mean by "the private keys for the two sponsors?"

Splitting hairs, the signing of DNS information happens after it 
leaves the database (of the registry) and before it hits what is 
currently known as the DNS (the master server).  If a registrant has 
two operators for DNS (and many do), the operators are either both 
offering slave service or one is slaving off the other.

IOW, if there are two sources of key-pairs for a domain name, there's 
trouble elsewhere.

Maybe I don't understand the situation you have in mind.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Never confuse activity with progress.  Activity pays more.