[dns-operations] How to transfer DS records to parent zone?

Rubens Kuhl rubensk at nic.br
Sun Jul 15 00:02:05 UTC 2012 

Michele,

If you ask customers if they need "DS record", they will say they don't. If you ask customers if they want their domains to be falsified, they will also say they don't. Customers pay the ecosystem (ICANN, registries, registrars, hosting companies) for a service, and if you describe to them what can happen with DNS and what can be prevented with DNSSEC, I'm pretty sure they will tell you that they thought the DNS system was much more secure than you described, and find DNSSEC a closer match to what they hoped the service already was. 

As an industry, we have the opportunity of giving our customers the blue pill and keeping them happy, or letting someone else give them the red pill and show them what can really happen. 

I'm all in favor of basing decisions on demand, but we need to ask questions customers understand. 

Rubens
… disclaimer: working for an organization that allowed registrants to upload DS records for some years

Em 14/07/2012, às 17:35, Michele Neylon :: Blacknight escreveu:

> Vernon
> 
> Registrars are commercial entities. We support products / services for which there is a commercial demand.
> 
> Regards
> 
> Michele
> 
> 
> Mr. Michele Neylon
> Blacknight
> http://Blacknight.tel
> 
> Via iPhone so excuse typos and brevity
> 
> On 14 Jul 2012, at 19:28, "Vernon Schryver" <vjs at rhyolite.com> wrote:
> 
>>>                               they handled the DS submission via email 
>> 
>> There seem to be more than one registrar that claims to handle DNSSEC
>> via mail.  Never mind security questions such as whether or how (e.g.
>> PGP vs. S/MIME) that mail is signed or there are other protections
>> against bad guy games.  RFC 4641 suggests "planning for a key effectivity
>> on the order of a few months" for key signing keys.  Negotiating with
>> a registrar's support mailbox every few months or even once every year
>> or two strikes me as at best impractical in a professional operational
>> (as opposed to vanity domain or test) setting.  And what happens in an
>> emergency key rollover after you suspect that the computer with the
>> secret keys has been compromised or a less than amicable trusted
>> employee departure?  As far as I'm concerned, the years old registar
>> answer to the "DNSSEC?" question of "send mail to support" is a
>> disingenuous effort to pass checklists.
>> 
>> I don't understand why registrars are dragging their feet.  To my
>> naive ears, transfer locking, "privacy guard", HTTP and mail
>> forwarding, and other de facto standard registrar services sound
>> harder than accepting and signing keys.  But then I also don't
>> understand why it took them so long to start handling IPv6 glue.
>> 
>> 
>> Vernon Schryver    vjs at rhyolite.com
>> 
>> P.S. Of course, given men in the middle and so forth, the HTTPS web
>> pages used by registrars to change NS and glue records are not very
>> secure...except compared to unauthenticated, trivially forged mail.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list