> On Feb 26, 2019, at 9:15 AM, Jacques Latour <jacques.lat...@cira.ca> wrote: > DNSSEC should of never been part of the domain registration process, it was > because we didn’t have the CDS/CDNSKEY channel to automated the DS > maintenance and bootstrap. But if you keep DNSSEC maintenance outside the > registrar control then it can be effective tool (amongst other) in > identifying hijacks. Taking away he ability of the bad actors to disable > DNSSEC via registrar control panel. > This is what happens when you have all your eggs in one basket and you loose > the keys to your kingdom.
Agreed. There’s absolutely no reason for registrars to be involved with DS
records of zones they’re not signing. And, for the same reason, there’s no
reason for them to be involved with NS records, either, after an initial
bootstrap.
-Bill
signature.asc
Description: Message signed with OpenPGP
