I've throught of a bigger, painfully obvious reason why "send mail to support" is an unacceptable answer from a registrar for DNSSEC. If something happens that breaks DNSSEC validation, your entire domain will be hosed for the 48 or more hours (e.g. over a long weekend) that must be allowed for a mail support cycle. If your registrar fat fingers your DS RRs or you lose your key pair in a disk crash, your domain is dead. Given standard anti-spam checks valid envelope domain names, it is possible that you won't even be able send mail to your registrar except from a free mail provider or other third party account, worsening the authentication and authorization concerns of changing keys by mail. Today you can fix broken glue or delegations in minutes, but "send mail to support for DNSSEC" sends you back to the bad old days decades ago when a misplaced invoice or broken authoritative servers would put you off the net for days.
It might not be quite that bad if your web users and mail recipients are using old DNS resolvers. But if they're using current code with defaults such as BIND's "dnssec-enable yes", "dnssec-validation yes", and "dnssec-accept-expired no", they'll get the nothing I get from http://www.dnssec-failed.com. A second thought is prompted by Verisign's DNSSEC Scoreboard http://scoreboard.verisignlabs.com/ http://scoreboard.verisignlabs.com/count-trace.png http://scoreboard.verisignlabs.com/percent-trace.png Those suggest that a smaller than trivial number of com and net domains are current signed, but that they've doubled in the last couple of months. There are a lot of com domains, but a doubling time of 60 days wouldn't take long to make a big dent. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
