On 14/07/2012 13:28, Vernon Schryver wrote:
they handled the DS submission via email
There seem to be more than one registrar that claims to handle DNSSEC
via mail. Never mind security questions such as whether or how (e.g.
PGP vs. S/MIME) that mail is signed or there are other protections
against bad guy games. RFC 4641 suggests "planning for a key effectivity
on the order of a few months" for key signing keys. Negotiating with
a registrar's support mailbox every few months or even once every year
or two strikes me as at best impractical in a professional operational
(as opposed to vanity domain or test) setting. And what happens in an
emergency key rollover after you suspect that the computer with the
secret keys has been compromised or a less than amicable trusted
employee departure? As far as I'm concerned, the years old registar
answer to the "DNSSEC?" question of "send mail to support" is a
disingenuous effort to pass checklists.
For my vanity domain I need two actions supported by my registrar.
a. Insert the DS records I supply (and match my zone's DNSKEY) into the
parent zone. Note that I expect them to check that the DS Record matches
(and validates) before inserting it into parent.
b. Remove my DS records
b. is my emergency key reaction after my signing system is compromised.
At this point I have no plans to change my KSK, by that time comes I
hope my registrar has full DNSSEC support.
Right now the best thing for DNSSEC deployment is that people start
telling registrars that there is demand to insert DS into parent zones.
Hopefully registrars that see demand, will update systems to DS
add/change/delete.
I don't understand why registrars are dragging their feet. To my
naive ears, transfer locking, "privacy guard", HTTP and mail
forwarding, and other de facto standard registrar services sound
harder than accepting and signing keys. But then I also don't
understand why it took them so long to start handling IPv6 glue.
Market demand, registrars react to customer requests and defections :-)
Vernon Schryver v...@rhyolite.com
P.S. Of course, given men in the middle and so forth, the HTTPS web
pages used by registrars to change NS and glue records are not very
secure...except compared to unauthenticated, trivially forged mail.
With DNSSEC we can start talking about using DNSSEC to authenticate the
NS and glue data that flows into registries/parents.
Olafur
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
