Michael,

Please refer to the DNSSEC and Security Workshop's "DNSSEC Provisioning 
Automation" panel presentations.
At least: 
https://cdn.filestackcontent.com/content=t:attachment,f:%223.1%20Crocker%20-%20DS%20Updates%20and%20Multi-signer%20Coordination.pdf%22/AhnRIROT5aurERz0pfuQ
Registrars can scan CDS/CDNSKEY/CSYNC RRs and provision them via EPP.
It does not break existing RRR model.

Regards,

Yoshiro

On Fri, 2 Dec 2022 12:41:03 +0100 Michael Bauland <[email protected]> 
wrote:

> Hello,
> 
> I've recently come across a case in the context of CDS/CDNSKEY and I'm 
> unsure what is the best/correct way to handle the situation.
> 
> CDS/CDNSKEY records are meant to notify the registry about a change in 
> the DS/DNSKEY records, similar to sending an EPP request.
> 
> What should the registry do, if
> 1. the serverUpdateProhibited EPP state is set?
> 2. the clientUpdateProhibited EPP state is set?
> 
> I tend to say that in Case 1, the domain may not be changed at all and 
> as a consequence CDS/CDNSKEYs should be ignored.
> 
> For Case 2 my preference is that this is only a kind of safeguard 
> against unintended changes by the registrar, and the DNSSEC update is 
> most likely intended and should go through. Furthermore, some registrars 
> might set this state regularly, which would then take away the 
> registrant's possibility to roll over their DNSKEY. This most likely is 
> not intended.
> However, one could of course argue: update prohibited means update 
> prohibited, and as long as that state is set, no changes (other than 
> removing this state) should be possible.
> 
> What do others think about these cases?
> 
> Cheers,
> 
> Michael
> 
> -- 
> ____________________________________________________________________
>       |       |
>       | knipp |            Knipp  Medien und Kommunikation GmbH
>        -------                    Technologiepark
>                                   Martin-Schmeisser-Weg 9
>                                   44227 Dortmund
>                                   Germany
> 
>       Dipl.-Informatiker          Fon:    +49 231 9703-0
>                                   Fax:    +49 231 9703-200
>       Dr. Michael Bauland         SIP:    [email protected]
>       Software Development        E-mail: [email protected]
> 
>                                   Register Court:
>                                   Amtsgericht Dortmund, HRB 13728
> 
>                                   Chief Executive Officers:
>                                   Dietmar Knipp, Elmar Knipp
> 
> _______________________________________________
> regext mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/regext
> 

_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext

Reply via email to