[dnssec-deployment] How does it work?
mlarson at verisign.com
Wed Jun 24 17:07:36 EDT 2009
On Wed, 24 Jun 2009, Andrew Sullivan wrote:
> Sure, having the extra DS in the parent is not a risk. But keeping
> that extra DS at the parent does not ensure that there will not be
> validation failures.
I disagree. I think we are making this situation too complicated. If
a registrant adds a DS in the parent for its new key at the new DNS
hosting provider far enough in advance of the transfer, and keeps the
old DS record in place long enough after the transfer, then both
signed versions of the zone (pre- and post-transfer) are covered.
So there is a possible path within the protocol--and that's the
important part--that keeps the zone secure across the transfer. If
that procedure isn't possible because of various business arrangements
between registrant, registrars and DNS hosting providers, well, it's
not up to us to engineer for every conceivable situation. If one
outsources the hosting and signing of one's zone, there is a certain
loss of control. There can be tremendous benefits, but there can also
be consequences and the possibility of a less-than-graceful transfer
involving DNSSEC may be one of those consequences. In the end,
there's always the option to go insecure for the transfer.
More information about the Dnssec-deployment