[dns-operations] How to transfer DS records to parent zone?
Michele Neylon :: Blacknight
michele at blacknight.ie
Sat Jul 14 20:35:04 UTC 2012
Vernon
Registrars are commercial entities. We support products / services for which there is a commercial demand.
Regards
Michele
Mr. Michele Neylon
Blacknight
http://Blacknight.tel
Via iPhone so excuse typos and brevity
On 14 Jul 2012, at 19:28, "Vernon Schryver" <vjs at rhyolite.com> wrote:
>> they handled the DS submission via email
>
> There seem to be more than one registrar that claims to handle DNSSEC
> via mail. Never mind security questions such as whether or how (e.g.
> PGP vs. S/MIME) that mail is signed or there are other protections
> against bad guy games. RFC 4641 suggests "planning for a key effectivity
> on the order of a few months" for key signing keys. Negotiating with
> a registrar's support mailbox every few months or even once every year
> or two strikes me as at best impractical in a professional operational
> (as opposed to vanity domain or test) setting. And what happens in an
> emergency key rollover after you suspect that the computer with the
> secret keys has been compromised or a less than amicable trusted
> employee departure? As far as I'm concerned, the years old registar
> answer to the "DNSSEC?" question of "send mail to support" is a
> disingenuous effort to pass checklists.
>
> I don't understand why registrars are dragging their feet. To my
> naive ears, transfer locking, "privacy guard", HTTP and mail
> forwarding, and other de facto standard registrar services sound
> harder than accepting and signing keys. But then I also don't
> understand why it took them so long to start handling IPv6 glue.
>
>
> Vernon Schryver vjs at rhyolite.com
>
> P.S. Of course, given men in the middle and so forth, the HTTPS web
> pages used by registrars to change NS and glue records are not very
> secure...except compared to unauthenticated, trivially forged mail.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list