See my comment below..
________________________________________
Von: regext [[email protected]]" im Auftrag von "Patrick Mevzek
[[email protected]]
Gesendet: Montag, 16. Juli 2018 21:32
An: [email protected]
Betreff: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D
Action: draft-ietf-regext-change-poll-07.txt)
On Mon, Jul 16, 2018, at 21:08, Martin Casanova wrote:
> To be clear the domain info response will be sent just without the
> DNSSec part. Therefore a not DNSSec interested registrar will just not
> see the DNSSec configuration but all the rest of the domain info
> resData. I don't see a problem with that.
Here is the problem as already exposed: you may have registrars that do not
want to deal
with DNSSEC on a philosophical principle. They may want to specifically not try
to
transfer a currently DNSSEC enabled domain to them, because they know it will
break
resolution and they do not want to handle the customer saying that they broke
the domain.
M: The Registrar does not need to check the domain with domain info in order to
check if he is allowed to to do or not.
M: If he is not than we will prevent it (see next comment)
Besides using the DNS, in your case, this registrar has no way to know in
advance
that the transfer will be a problem. And I suspect telling them 'Please be
DNSSEC
accredited with us and login with secDNS extension' will fall on a deaf ear.
M: No we never told such a thing to a registrar. However we do put in the
manual that a DNSSec Domain can only be transfered to a DNSSec enabled
Registrar (up to now at least)
> In case he is DNSSec enabled but still logs in without this extension he
> will get a failure with error message similar to “Not allowed to
> transfer DNSSec Domain” when trying to transfer a DNSSec domain to him.
What happens for a non-DNSSEC enabled registrar (and hence not using secDNS on
login)
when he tries to transfer to him a DNSSEC-enabled domain?
Is this refused?
M: Exactly. Through the transitive relation that we prevent him to start a
DNSSec enabled session and a non enabled session will never authorize an
incoming transfer of a DNSSec domain.
Also to leave the discussion on track, this DNSSEC part of domain:info response
was only
one example of the same problem ("unhandled namespaces") outside of the poll
messages,
because I think the problem is global and we should tackle it globally (or not
at all
and leave it at the current status quo).
M: Thats exactly what we should discuss in a minute :)
--
Patrick Mevzek
Martin
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
