--- Begin Message ---
Hello DNS Operations,
This is mostly an advisory, though I welcome comments from those more
knowledgeable and experienced than myself if it turns out I'm missing
something.
Namecheap, as the gaining registrar, does not ingest the established DS
from the parent zone into their domain management system when
transferring a signed domain. The web portal erroneously shows that
DNSSEC is disabled and no DS records are present. However, the
registry's authoritative name servers still respond with the expected DS
that was previously published by the losing registrar. That is, the
delegation is still actually secure after the transfer.
Attempting to (re-)add the existing DS to the web portal fails with
"DnsSec add failed". It is possible to add a different DS via the
Namecheap portal---with a different digest type, for instance. However,
that results in the removal of the prior DS. It is not possible to
transition to insecure by removing the DS once the transfer has been
completed.
The two ways I can see to restore data consistency without causing the
zone to become bogus are: 1) cut-over from one combination of supported
DS digest types to a disjoint set (e.g. SHA-1 + SHA-256 to SHA-384); or
2) perform a KSK roll-over using the double-KSK method. Transferring the
domain out to a registrar that can ingest DS records from the registry
may be a third method, but I have not attempted it.
I confirmed this with a domain under US and another one under COM. At
least one other registrar, Porkbun, handles DNSSEC correctly when
transferring a domain in. Namecheap support says that I am expected to
set up DNSSEC afresh when transferring in and would not commit to
implementing a fix/improvement.
All the best,
John
OpenPGP_0x33C4D64B895DBF3B.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
