Hi
On 13.10.2025 20:17, Peter Thomassen wrote:
One more discussion point spun up last week at OARC, namely about the
following recommendation in draft-ietf-dnsop-ds-automation. I'd again be
delighted to learn your views.
Section 5.1:
5. In the RRR model, registries SHOULD NOT perform automated DS
maintenance if it is known that the registrar performs this
function, or does not support DNSSEC at all.
It was argued that this recommendation -- especially the last part -- is
unnecessary, and if the registrar doesn't provide a DS interface, then
the registrant should switch registrars.
[...]
>
> However, consider the following draft text:
>
> 5.2.1. Necessity of Non-automatic Updates
>
> [...] when the registrar is known to not support DNSSEC (or to
> lack a DS provisioning interface), it seems adequate for registries
> to not perform automated DS maintenance, in order to prevent
> situations in which a misconfigured delegation cannot be repaired by
> the registrant.
The current phrasing assumes that registries somehow know which
registrars support DNSSEC and what that support entails.
In my experience, that is rarely the case. Technically, every registrar
can modify the DS RRset — there is an EPP command for that.
Some registrars simply choose not to expose this functionality in their
customer interfaces, but their backend support should still be able to
execute it upon a registrant’s request.
I’m not sure how registries could maintain an accurate list of
registrars that are unable or unwilling to process DS changes for their
customers, or how such a list could be kept up to date.
In practice, we usually only discover these cases when it’s already too
late — for example, when automated DS maintenance has occurred,
something breaks, and the registrar cannot or will not assist in fixing it.
At that point, we can disable DS automation for that registrar to
prevent future issues, but we still need a process to repair existing
broken delegations. In most cases, that means the registry directly
removes the DS records at the registrant’s request.
Here is an alternative suggestion that takes this situation into account:
"5. In the RRR model, registries SHOULD provide a process to remove DS
records at the explicit request of the registrant if the registrar is
unable to remove or update DS records. Registries SHOULD disable
automated DS maintenance for any registrar that is known to be unable to
manage DS records until such support has been confirmed."
What do you think?
Best regards
Oli
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
