[Dnssec-deployment] Publishing DS records in WHOIS

[Edward Lewis]

At 10:52 +1200 7/30/10, Jay Daley wrote:
>Does anyone have any view on whether registries should publish DS records
>in their WHOIS?

We don't.  DNSSEC has nothing to do with WhoIs, in short, from a 
systems development point of view, there was no need to have any task 
hitting whois.

But why list the NS set, isn't that the same thing?

Here's a watery argument.  "Shared fate."  The DS records are 
authoritative in the registry's DNS - if you can't reach that you 
also can't get the referral to the registrant's servers.  As for the 
NS set, it's possible you can't see what the registry has (if the 
registrant's zone is also on all of the registry's servers.

Another argument is that the WhoIs is a fallback for a broken DNS set 
up, and you might want to try to debug a situation.  It's plausible 
that you could by hand deal with name servers, but doing validation 
by hand probably not.

That's an odd case.  But nothing is all that rigorous in WhoIs.  I 
suppose it wouldn't hurt to add, but on the other hand, we saw no 
value in upsetting yet another apple cart when developing.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.