[dnsext] Re: registrar transfers

[Jim Reid <jim@rfc1035.com>]

On 28 Oct 2009, at 11:14, Joe Abley wrote:

> Changing registrar in and of itself has no impact on DNSSEC

I'm not sure that will always be the case Joe. Of course it should  
be....

Delegation metadata shouldn't change at the registry when the  
registrar changes. But it would not be wise to assume that. For  
instance, what if the registrar is involved in submitting the  
registrant's (zone manager's) KSK to the registry, say in an EPP  
transaction? Bad Things could happen at the registry if the EPP  
transfer request fails to include the delegation's KSK(s). For  
instance would this hypothetical transfer without KSK(s) transaction  
mean it's still OK for the current KSK(s) to be used or not?

> I have heard concern that without the problem of transfers between  
> registrars being solved, prominent/popular domains will never be  
> signed. Any such concern is very easily avoided by not having a  
> registrar sign the zone in the first place.

True. But this is somewhat idealistic IMO if DNSSEC ever becomes  
mainstream. The vast majority of people with domain names rely on  
their ISP or registrar as their source of DNS clue. So it's inevitable  
they'll turn to that source when it comes to signing their zones, just  
as they turn to them for DNS/mail/web hosting. I'm doubtful that  
uptake of DNSSEC is going to be encouraged by pushing the complexity  
of signing and key rollover out to the edges of the network where the  
DNS skill levels are low.

BTW this thread probably should move from namedroppers if it continues.