> After some internal discussion here at labs, the following is also > possible: > > 1) get the DS via EPP from the child > 2) parent retrieves the key via the DNS from the child > 3) parent _transforms_ the key into a DS and compares that with > the one from step 1
Labs have read my mind.
To state the obvious, using steps 2 and 3 it is possible to do a DS digest algorithm rollover.
In the discussion between Scott and me in 2002, I was advocating DS as the only option due to simplicity and less typing for registrant into web form at registrar, Scott and his co-workers where not sold at the time on the concept of DS so they wanted to keep both options. EPP is a protocol between Registry and Registrar, and I see the registrar as the natural place to handle translation from DNSKEY to DS for the technically challenged. For EPP used in Enterprises
I want to remind: one of the reasons for using HASH in the DS record was liability issues for the parent, another one was to allow delayed exposure of public key material,
In any case IMHO there is no good reason to provide both DS and DNSKEY, lets only standardize DS.
Now on to new issue: The RRSIG in the EPP transfer. This text was put in based on my suggestion, upon reflection I think this is a bad idea and should be removed from the document. If we send DS then the recipient needs to query for the DNSKEY RRset to evaluate the signatures, this forces the registrant to have the new SEP key on-line.
Overall I think the question is: why provide more Security for the DS exchange than is provided for the NS exchange?
Olafur
. dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
