In message <dd056a31a84cfc4ab501bd56d1e14bbb73e...@exchange.secure64.com>, "Stephan Lagerholm" writes: > > > From: Jay Daley [mailto:j...@nzrs.net.nz] > > Sent: Wednesday, March 03, 2010 1:54 PM > > To: Stephan Lagerholm > > Cc: Alex Bligh; Jaap Akkerhuis; matth...@nlnetlabs.nl; > > bmann...@vacation.karoshi.com; Edward Lewis; Wolfgang Nagele; > > dnsop@ietf.org > > Subject: Re: [DNSOP] automatic update of DS records > > > > On 4/03/2010, at 8:27 AM, Stephan Lagerholm wrote: > > > > > Bad idea, what happens when one customer would like to move his > domain > > > from your name server to another name server. Do you give him your > > > mega-key or do you tell him to break his chain of trust during the > move? > > > > If those were the only two choices then that would be a disaster. > Luckily > > we have choice 3 - sign and publish his new keys to enable rollover > > > > Correct, but I have a hard time seeing that the loosing registrar would > be that helpful. It is more realistic to think that they could provide > access to the private key for their hosted customer. And in that case > the key can not be shared among customers.
Actually it is totally unrealistic that the private key can be made available. Often it will be in hardware and there will be no way they can get to it even if they wanted to share it. All that they need to do is to add the public keys from the gaining operator to the DNSKEY RRset and sign it. The DS for the new KSKs also need to be published. > /S > ---------------------------------------------------------------------- > Stephan Lagerholm > Senior DNS Architect, M.Sc. ,CISSP > Secure64 Software Corporation, www.secure64.com > Cell: 469-834-3940 > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
