Michael, Please refer to the DNSSEC and Security Workshop's "DNSSEC Provisioning Automation" panel presentations. At least: https://cdn.filestackcontent.com/content=t:attachment,f:%223.1%20Crocker%20-%20DS%20Updates%20and%20Multi-signer%20Coordination.pdf%22/AhnRIROT5aurERz0pfuQ Registrars can scan CDS/CDNSKEY/CSYNC RRs and provision them via EPP. It does not break existing RRR model.
Regards, Yoshiro On Fri, 2 Dec 2022 12:41:03 +0100 Michael Bauland <[email protected]> wrote: > Hello, > > I've recently come across a case in the context of CDS/CDNSKEY and I'm > unsure what is the best/correct way to handle the situation. > > CDS/CDNSKEY records are meant to notify the registry about a change in > the DS/DNSKEY records, similar to sending an EPP request. > > What should the registry do, if > 1. the serverUpdateProhibited EPP state is set? > 2. the clientUpdateProhibited EPP state is set? > > I tend to say that in Case 1, the domain may not be changed at all and > as a consequence CDS/CDNSKEYs should be ignored. > > For Case 2 my preference is that this is only a kind of safeguard > against unintended changes by the registrar, and the DNSSEC update is > most likely intended and should go through. Furthermore, some registrars > might set this state regularly, which would then take away the > registrant's possibility to roll over their DNSKEY. This most likely is > not intended. > However, one could of course argue: update prohibited means update > prohibited, and as long as that state is set, no changes (other than > removing this state) should be possible. > > What do others think about these cases? > > Cheers, > > Michael > > -- > ____________________________________________________________________ > | | > | knipp | Knipp Medien und Kommunikation GmbH > ------- Technologiepark > Martin-Schmeisser-Weg 9 > 44227 Dortmund > Germany > > Dipl.-Informatiker Fon: +49 231 9703-0 > Fax: +49 231 9703-200 > Dr. Michael Bauland SIP: [email protected] > Software Development E-mail: [email protected] > > Register Court: > Amtsgericht Dortmund, HRB 13728 > > Chief Executive Officers: > Dietmar Knipp, Elmar Knipp > > _______________________________________________ > regext mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/regext > _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
