[dns-operations] How to transfer DS records to parent zone?

Patrik Fältström paf at frobbit.se
Sun Jul 15 05:45:07 UTC 2012

On 14 jul 2012, at 19:28, Vernon Schryver wrote:

> I don't understand why registrars are dragging their feet.

Because registries have not made up their mind on how they are to implement DNSSEC and other things in epp. I.e. registries are too fragmented and implementing all flavors of epp is too costly.

For example, I am now as a registrar refusing to manage more than one(1) way of passing data to the registry. It happened for me to be that I implemented the way .SE handle DNSSEC, by passing DS. Now other registries say I should do DNSKEY. What would that user interface look like for the registrant? When I then talk with other registries they say "but you can receive the DS, grab the DNSSEC keys from the DNS and..." (something that requires the registrant to have DNS up and running before the domain name is registered, which is not really possible in all cases). Why would I as a registrar implement that? Why is the _registrar_ forced to implement various things that end up workarounds for registries that do not implement the same interface? Why is not registries taking the cost of implementing if needed multiple flavors of epp?

So, yes, this can easily turn into a blame game between registries and registrars, but as it is _today_ the largest problem is that registries do have to fragmented policies for registration of domain names.

That said, yes, Frobbit is a registrar that do manage DNSSEC in the case a) we are an accredited registrar and b) the registry do accept DS. This does not include the gTLDs because of (a) although we hope that will be resolved within the next couple of months. Becoming an accredited registrar for ICANN while not being based under US Legislation is still too complicated.


More information about the dns-operations mailing list