On 13 Oct 2013, at 08:26, Marco Davids (SIDN) <[email protected]> wrote:
> Interesting thought, but I don't know, Jim. Sounds like some way of > circular dependency to me? Maybe Marco. I did say I was hand-waving though. :-) That said, there might be some merit in a scheme like the one I outlined. Assuming of course that there was a clean separation between the registry-registrar channel and the management of DNS content. Which may not be there because registrars generally provide DNS for their registrants. If a bad guy has to spoof the registrants's credentials for the registrar AND change the DNS content for the domain to be hijacked, that might be a good enough barrier for "important" zones. After all they're unlikely to be hosted or managed from the registrar's control panel, less so if DNSSEC is involved. > For instance, what would happen if the registrar would upload the wrong > DNSKEY/DS to the parent and want to correct that? Would be impossible, > because validation is broken at that time? So don't do that. :-) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
