[Dnssec-deployment] Publishing DS records in WHOIS

Michael Richardson mcr at sandelman.ca
Fri Jul 30 10:18:40 EDT 2010 

>>>>> "Edward" == Edward Lewis <Ed.Lewis at neustar.biz> writes:
    >> Does anyone have any view on whether registries should publish DS
    >> records in their WHOIS?

    Edward> We don't.  DNSSEC has nothing to do with WhoIs, in short,
    Edward> from a systems development point of view, there was no need
    Edward> to have any task hitting whois.

    Edward> But why list the NS set, isn't that the same thing?

    Edward> Here's a watery argument.  "Shared fate."  The DS records
    Edward> are authoritative in the registry's DNS - if you can't reach
    Edward> that you also can't get the referral to the registrant's
    Edward> servers.  As for the NS set, it's possible you can't see
    Edward> what the registry has (if the registrant's zone is also on
    Edward> all of the registry's servers.

    Edward> Another argument is that the WhoIs is a fallback for a
    Edward> broken DNS set up, and you might want to try to debug a
    Edward> situation.  It's plausible that you could by hand deal with
    Edward> name servers, but doing validation by hand probably not.

I think that it would be useful to list the DS in whois is useful for
humans who are debugging.

When zone has problems, a regular thing to do is compare dig +trace
output to whois output.  Then, query each server that whois says is
supposed to answer, and see if it does.  Often the registered servers
are lame, or have been neglected and have stale data.

Okay, now enter DNSSEC.  A server can now be lame because it has data,
but the signatures on that data can not be verified because the DNSKEY
that signed them is not the one in the DS.  Worst case, some broken
secondary server happily just throws out all the DNS* RR, and does not
serve them, so only secure resolvers break when they use that server.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.

More information about the Dnssec-deployment mailing list