> they handled the DS submission via email
There seem to be more than one registrar that claims to handle DNSSEC via mail. Never mind security questions such as whether or how (e.g. PGP vs. S/MIME) that mail is signed or there are other protections against bad guy games. RFC 4641 suggests "planning for a key effectivity on the order of a few months" for key signing keys. Negotiating with a registrar's support mailbox every few months or even once every year or two strikes me as at best impractical in a professional operational (as opposed to vanity domain or test) setting. And what happens in an emergency key rollover after you suspect that the computer with the secret keys has been compromised or a less than amicable trusted employee departure? As far as I'm concerned, the years old registar answer to the "DNSSEC?" question of "send mail to support" is a disingenuous effort to pass checklists. I don't understand why registrars are dragging their feet. To my naive ears, transfer locking, "privacy guard", HTTP and mail forwarding, and other de facto standard registrar services sound harder than accepting and signing keys. But then I also don't understand why it took them so long to start handling IPv6 glue. Vernon Schryver [email protected] P.S. Of course, given men in the middle and so forth, the HTTPS web pages used by registrars to change NS and glue records are not very secure...except compared to unauthenticated, trivially forged mail. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
