[dns-operations] How to transfer DS records to parent zone?

Olafur Gudmundsson ogud at ogud.com
Sun Jul 15 23:55:05 UTC 2012

On 14/07/2012 13:28, Vernon Schryver wrote:
>>                                  they handled the DS submission via email
> There seem to be more than one registrar that claims to handle DNSSEC
> via mail.  Never mind security questions such as whether or how (e.g.
> PGP vs. S/MIME) that mail is signed or there are other protections
> against bad guy games.  RFC 4641 suggests "planning for a key effectivity
> on the order of a few months" for key signing keys.  Negotiating with
> a registrar's support mailbox every few months or even once every year
> or two strikes me as at best impractical in a professional operational
> (as opposed to vanity domain or test) setting.  And what happens in an
> emergency key rollover after you suspect that the computer with the
> secret keys has been compromised or a less than amicable trusted
> employee departure?  As far as I'm concerned, the years old registar
> answer to the "DNSSEC?" question of "send mail to support" is a
> disingenuous effort to pass checklists.

For my vanity domain I need two actions supported by my registrar.
a. Insert the DS records I supply (and match my zone's DNSKEY) into the 
parent zone. Note that I expect them to check that the DS Record matches 
(and validates) before inserting it into parent.
b. Remove my DS records

b. is my emergency key reaction after my signing system is compromised.

At this point I have no plans to change my KSK, by that time comes I 
hope my registrar has full DNSSEC support.

Right now the best thing for DNSSEC deployment is that people start 
telling registrars that there is demand to insert DS into parent zones.
Hopefully registrars that see demand, will update systems to DS 

> I don't understand why registrars are dragging their feet.  To my
> naive ears, transfer locking, "privacy guard", HTTP and mail
> forwarding, and other de facto standard registrar services sound
> harder than accepting and signing keys.  But then I also don't
> understand why it took them so long to start handling IPv6 glue.

Market demand, registrars react to customer requests and defections :-)
> Vernon Schryver    vjs at rhyolite.com
> P.S. Of course, given men in the middle and so forth, the HTTPS web
> pages used by registrars to change NS and glue records are not very
> secure...except compared to unauthenticated, trivially forged mail.

With DNSSEC we can start talking about using DNSSEC to authenticate the 
NS and glue data that flows into registries/parents.


More information about the dns-operations mailing list