Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

Mon, 16 Jul 2018 12:49:11 -0700 

See my comment below..

________________________________________
Von: regext [regext-boun...@ietf.org]" im Auftrag von "Patrick Mevzek 
[p...@dotandco.com]
Gesendet: Montag, 16. Juli 2018 21:32
An: regext@ietf.org
Betreff: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D 
Action: draft-ietf-regext-change-poll-07.txt)

On Mon, Jul 16, 2018, at 21:08, Martin Casanova wrote:
> To be clear the domain info response will be sent just without the
> DNSSec part. Therefore a not DNSSec interested registrar will just not
> see the DNSSec configuration but all the rest of the domain info
> resData. I don't see a problem with that.

Here is the problem as already exposed: you may have registrars that do not 
want to deal
with DNSSEC on a philosophical principle. They may want to specifically not try 
to
transfer a currently DNSSEC enabled domain to them, because they know it will 
break
resolution and they do not want to handle the customer saying that they broke
the domain.

M: The Registrar does not need to check the domain with domain info in order to 
check if he is allowed to to do or not.
M: If he is not than we will prevent it (see next comment)

Besides using the DNS, in your case, this registrar has no way to know in 
advance
that the transfer will be a problem. And I suspect telling them 'Please be 
DNSSEC
accredited with us and login with secDNS extension' will fall on a deaf ear.

M: No we never told such a thing to a registrar. However we do put in the 
manual that a DNSSec Domain can only be transfered to a DNSSec enabled 
Registrar (up to now at least)

> In case he is DNSSec enabled but still logs in without this extension he
> will get a failure with error message similar to  “Not allowed to
> transfer DNSSec Domain” when trying to transfer a DNSSec domain to him.

What happens for a non-DNSSEC enabled registrar (and hence not using secDNS on 
login)
when he tries to transfer to him a DNSSEC-enabled domain?
Is this refused?

M: Exactly. Through the transitive relation that we prevent him to start a 
DNSSec enabled session and a non enabled session will never authorize an 
incoming transfer of a DNSSec domain.


Also to leave the discussion on track, this DNSSEC part of domain:info response 
was only
one example of the same problem ("unhandled namespaces") outside of the poll 
messages,
because I think the problem is global and we should tackle it globally (or not 
at all
and leave it at the current status quo).

M: Thats exactly what we should discuss in a minute :)


--
  Patrick Mevzek

Martin


_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Reply via email to