Hi Martin,In case of transfer to a registrar that does not support DNSSEC, our
REGISTRIO platform does remove DNSSEC records from the domain. In case of just
changed nameservers, we keep the records.Kind regards,Iliya Bazlyankov | Domain
ExpertEDOMS+359899991690 Bulgaria+380636908345 ukraineil...@edoms.com |
il...@tool-domains.com
-------- Оригинално съобщение --------От: Martin Casanova
<martin.casan...@switch.ch> Дата: 2.09.21 г. 12:39 (GMT+02:00) До:
regext@ietf.org Тема: [regext] Transfer of signed domain to registrar that does
not support DNSSEC
Hi
Since we have programs in place to push DNSSEC our number of
signed domains is increasing rapidly.
This brings up a old question that we were wondering about how
other registries handle it.
Lets assume a singed domain is being transferred but the new
registrar (still...) does not support DNSSEC and is therefore not
able to delete or modify the DS/KeyData at the registry. In that
case the domain can not be resolved anymore by validating
resolvers until the DS/KeyData is deleted at the registry somehow.
What is your policy/solution for this case? Here I outlined some
possibilities:
- Keeping track (based on login <svcExtension> at login?)
which registrars do DNSSEC and prohibit transfers of singed
domains in case secDNS-1.1 is missing?
This unnecessarily limits transfers of singed domains to DNSSSEC
unable registrars if the domain was signed via CDS where the
domain was singed by the name-server owner. (no registrar
involved)
- Deleting the DS/KeyData when the nameservers changes? (This
would raise further questions..)
- Support ticket of registrar and manual deletion by the registry
?
- ...
Your feedback is appreciated. Thanks!
Martin
--
SWITCH
Martin Casanova, Domain Applications
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 55, direct +41 44 268 16 25
martin.casan...@switch.ch, www.switch.ch
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
