[dns-operations] DNSSEC: Needs for zone transitions to Insecure

Patrik Fältström paf at frobbit.se
Fri Mar 20 22:32:06 UTC 2015


> On 20 mar 2015, at 20:50, Florian Weimer <fw at deneb.enyo.de> wrote:
> 
>> With my experience as a dns hosting entity, that is also a registrar, I have a few comments.
>> 
>> - There is always a reason why DNS Hosting Provider and/or Registrar
>> is changed. Most of the time because the old party "did not do their
>> job". So most of the time something is already broken in the old
>> setup.
> 
> There are also totally benign reasons, like cleanup after M&A or
> the regular switching of vendors.
> 
> Overall, these are probably lost in the noise, but on my end, I'm
> particularly interested in those.

Correct, there are also registrants that discover they have 4711 domain names spread over 313 registrars, and they want to move all of those domain names to one registrar (or fewer) just to get a better service. Note that I do not say "cheaper" as in real money, but "easier to manage".

But as you say, those are lost in the noise. From my position the most transfers of *real* working delegated zones (part from result of drop catching etc) is due to mistakes by the donating DNS hosting provider and/or donating registrar.

>> I.e. I see people today in most cases "just do the move" and either
>> just ignore the issue, or they set the zone to be insecure. In
>> Sweden with high percentage of validation, taking zone unsigned is
>> quite normal in the cases where it is easy/possible to do so at the
>> donating registrar/dns hosting provider.
> 
> Ah, interesting.  Thanks for sharing.

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150320/1cc94ee7/attachment.sig>


More information about the dns-operations mailing list