[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

Patrik Fältström paf at frobbit.se
Tue Oct 15 05:48:27 UTC 2013


On 13 okt 2013, at 10:26, Marco Davids (SIDN) <marco.davids at sidn.nl> wrote:

> For instance, what would happen if the registrar would upload the wrong
> DNSKEY/DS to the parent and want to correct that? Would be impossible,
> because validation is broken at that time?

This is a rat hole.

We have had the discussion many times whether lame delegation is ok to produce when a child names its auth servers to the parent. We do not agree on whether the parent should validate that. Some registries do validate not only that but many other things (that MX exists, that A record exists etc), and we will have similar issues with DS/DNSKEY.

I just do not see it being possible to agree here.

What we should spend time on is instead to, for example, agree on whether DS or DNSKEY is what the registry want, and after that agreement work on making it even easier for people to do the right thing. That is, I think, the only way we can minimize the number of cases people do the wrong thing.

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/ac44d6d7/attachment.sig>


More information about the dns-operations mailing list