> -----Original Message----- > From: regext <[email protected]> On Behalf Of Michael Bauland > Sent: Friday, December 2, 2022 6:41 AM > To: [email protected] > Subject: [EXTERNAL] [regext] CDS/CDNSKEY vs. EPP update prohibited > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content is > safe. > > Hello, > > I've recently come across a case in the context of CDS/CDNSKEY and I'm unsure > what is the best/correct way to handle the situation. > > CDS/CDNSKEY records are meant to notify the registry about a change in the > DS/DNSKEY records, similar to sending an EPP request. > > What should the registry do, if > 1. the serverUpdateProhibited EPP state is set? > 2. the clientUpdateProhibited EPP state is set? > > I tend to say that in Case 1, the domain may not be changed at all and as a > consequence CDS/CDNSKEYs should be ignored. > > For Case 2 my preference is that this is only a kind of safeguard against > unintended changes by the registrar, and the DNSSEC update is most likely > intended and should go through. Furthermore, some registrars might set this > state regularly, which would then take away the registrant's possibility to > roll > over their DNSKEY. This most likely is not intended. > However, one could of course argue: update prohibited means update > prohibited, and as long as that state is set, no changes (other than removing > this state) should be possible. > > What do others think about these cases?
[SAH] I lean towards "prohibited means prohibited". DNS service providers can be compromised, too, and I'd prefer to see steps taken to explicitly remove the state prior to a DNS update vs. allowing some actors to bypass the state. Scott _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
