[dns-operations] How to transfer DS records to parent zone?

Vernon Schryver vjs at rhyolite.com
Sat Jul 14 17:28:14 UTC 2012

>                                 they handled the DS submission via email 

There seem to be more than one registrar that claims to handle DNSSEC
via mail.  Never mind security questions such as whether or how (e.g.
PGP vs. S/MIME) that mail is signed or there are other protections
against bad guy games.  RFC 4641 suggests "planning for a key effectivity
on the order of a few months" for key signing keys.  Negotiating with
a registrar's support mailbox every few months or even once every year
or two strikes me as at best impractical in a professional operational
(as opposed to vanity domain or test) setting.  And what happens in an
emergency key rollover after you suspect that the computer with the
secret keys has been compromised or a less than amicable trusted
employee departure?  As far as I'm concerned, the years old registar
answer to the "DNSSEC?" question of "send mail to support" is a
disingenuous effort to pass checklists.

I don't understand why registrars are dragging their feet.  To my
naive ears, transfer locking, "privacy guard", HTTP and mail
forwarding, and other de facto standard registrar services sound
harder than accepting and signing keys.  But then I also don't
understand why it took them so long to start handling IPv6 glue.

Vernon Schryver    vjs at rhyolite.com

P.S. Of course, given men in the middle and so forth, the HTTPS web
pages used by registrars to change NS and glue records are not very
secure...except compared to unauthenticated, trivially forged mail.

More information about the dns-operations mailing list