Bill Woodcock <wo...@pch.net> wrote:
> We’d be _very interested_ in seeing a standardized, end-to-end
> registry-locking model. Specifically, one in which the registrant signs
> change requests, and the registry validates the signatures, and nobody
> in the registrar path is involved in any way.
How do you see this interacting with DNSSEC key rollovers?
I would like to see better automation for KSK rollovers, but the poor
state of registrar APIs and the added risk of exposing registrar
credentials makes it more difficult than I would like. I guess the best
answer is more RFC 7344 CDS/CDNSKEY support, because that avoids the
shared secret risks and it won't be made more difficult by security
hardening the delegation update process.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
East Sole, Lundy, Fastnet, Irish Sea: Southeasterly 4 or 5. Rough or very
rough, but slight or moderate in Irish Sea. Mainly fair. Good, occasionally
poor.
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
