Namecheap fails to ingest existing DS on transfer in

John W. O'Brien john at saltant.com
Sun Jul 21 17:24:38 UTC 2024 

Hello DNS Operations,

This is mostly an advisory, though I welcome comments from those more 
knowledgeable and experienced than myself if it turns out I'm missing 
something.

Namecheap, as the gaining registrar, does not ingest the established DS 
from the parent zone into their domain management system when 
transferring a signed domain. The web portal erroneously shows that 
DNSSEC is disabled and no DS records are present. However, the 
registry's authoritative name servers still respond with the expected DS 
that was previously published by the losing registrar. That is, the 
delegation is still actually secure after the transfer.

Attempting to (re-)add the existing DS to the web portal fails with 
"DnsSec add failed". It is possible to add a different DS via the 
Namecheap portal---with a different digest type, for instance. However, 
that results in the removal of the prior DS. It is not possible to 
transition to insecure by removing the DS once the transfer has been 
completed.

The two ways I can see to restore data consistency without causing the 
zone to become bogus are: 1) cut-over from one combination of supported 
DS digest types to a disjoint set (e.g. SHA-1 + SHA-256 to SHA-384); or 
2) perform a KSK roll-over using the double-KSK method. Transferring the 
domain out to a registrar that can ingest DS records from the registry 
may be a third method, but I have not attempted it.

I confirmed this with a domain under US and another one under COM. At 
least one other registrar, Porkbun, handles DNSSEC correctly when 
transferring a domain in. Namecheap support says that I am expected to 
set up DNSSEC afresh when transferring in and would not commit to 
implementing a fix/improvement.

All the best,
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x33C4D64B895DBF3B.asc
Type: application/pgp-keys
Size: 13270 bytes
Desc: OpenPGP public key
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240721/53f51ebb/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240721/53f51ebb/attachment-0001.sig>

More information about the dns-operations mailing list