Hi Since we have programs in place to push DNSSEC our number of signed domains is increasing rapidly.
This brings up a old question that we were wondering about how other registries handle it. Lets assume a singed domain is being transferred but the new registrar (still...) does not support DNSSEC and is therefore not able to delete or modify the DS/KeyData at the registry. In that case the domain can not be resolved anymore by validating resolvers until the DS/KeyData is deleted at the registry somehow. What is your policy/solution for this case? Here I outlined some possibilities: - Keeping track (based on login <svcExtension> at login?) which registrars do DNSSEC and prohibit transfers of singed domains in case secDNS-1.1 is missing? This unnecessarily limits transfers of singed domains to DNSSSEC unable registrars if the domain was signed via CDS where the domain was singed by the name-server owner. (no registrar involved) - Deleting the DS/KeyData when the nameservers changes? (This would raise further questions..) - Support ticket of registrar and manual deletion by the registry ? - ... Your feedback is appreciated. Thanks! Martin -- SWITCH Martin Casanova, Domain Applications Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 55, direct +41 44 268 16 25 martin.casan...@switch.ch, www.switch.ch
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
