registrar transfers (was Re: [dnsext] Trust Anchors)

[Joe Abley <jabley@hopcount.ca>]

On 2009-10-27, at 13:10, João Damas wrote:

> Given this is an operational problem, I believe tweaking the  
> protocol will never yield a perfect solution and that this sort of  
> situation would see the users better served by crafting a BCP where,  
> for instance, the choreography necessary for domain moves between  
> registrars would be listed.

This is very much an aside, but I continue to be mildly alarmed by the  
conflation of "registrar" with "zone manager" in this kind of  
discussion.

Changing registrar in and of itself has no impact on DNSSEC, and there  
is no requirement to roll keys or change trust anchors as part of a  
registrar transfer. This is a simple database operation at the  
registry, and does not effect what is published in the DNS at all.

The case where you need to manage a key rollover is when the entity  
managing the zone  changes.

I appreciate that there cases where a single organisation carries out  
both functions (registrar and zone manager) but this is certainly not  
the general case.

For example, I have heard concern that without the problem of  
transfers between registrars being solved, prominent/popular domains  
will never be signed. Any such concern is very easily avoided by not  
having a registrar sign the zone in the first place.

Perhaps the useful BCP to promote in this area is "don't let other  
people hold your keys if you care about your zone". Surely this is  
obvious, though.


Joe