Policy wise, I would keep the DS intact in a transfer or NS change, so that all non-DNSSEC-capable registrars would soon disappear. ;-) Since a transfer does not change NS records nor DNSKEY records, it’s not the transfer that breaks the domain, but a subsequent NS change to a new dns-provider..
A minimal requirement for a registrar is that he is capable of administratively removing the old DS record at the registry before changing the NS, just as he is obliged to maintain the other data on behalf of the registrant. What would you do with a registrar that “does not support contact address changes”? If the new registrar cannot handle that, he is not worthy. Let him swim ;-) - -- Antoin Verschuren no-hats > Op 2 sep. 2021, om 11:39 heeft Martin Casanova <martin.casan...@switch.ch> > het volgende geschreven: > > Hi > > Since we have programs in place to push DNSSEC our number of signed domains > is increasing rapidly. > > This brings up a old question that we were wondering about how other > registries handle it. > > Lets assume a singed domain is being transferred but the new registrar > (still...) does not support DNSSEC and is therefore not able to delete or > modify the DS/KeyData at the registry. In that case the domain can not be > resolved anymore by validating resolvers until the DS/KeyData is deleted at > the registry somehow. > > What is your policy/solution for this case? Here I outlined some > possibilities: > > - Keeping track (based on login <svcExtension> at login?) which registrars do > DNSSEC and prohibit transfers of singed domains in case secDNS-1.1 is missing? > This unnecessarily limits transfers of singed domains to DNSSSEC unable > registrars if the domain was signed via CDS where the domain was singed by > the name-server owner. (no registrar involved) > > - Deleting the DS/KeyData when the nameservers changes? (This would raise > further questions..) > - Support ticket of registrar and manual deletion by the registry ? > - ... > > Your feedback is appreciated. Thanks! > > > > Martin > > -- > SWITCH > Martin Casanova, Domain Applications > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland > phone +41 44 268 15 55, direct +41 44 268 16 25 > martin.casan...@switch.ch <mailto:martin.casan...@switch.ch>, www.switch.ch > <http://www.switch.ch/>_______________________________________________ > regext mailing list > regext@ietf.org > https://www.ietf.org/mailman/listinfo/regext
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
