.nz Domain Name Commission

.nz DNSSEC Policy Consultation Submission
From: Glen Eustace
Received: October 25 2010

The proposed mechanism that registrars are supposedly going to be required to follow is going to be very difficult to automate.  Many of the systems in place rely heavily on being automated and requiring little if any intervention in their operation. Where staff resources are an issue, this whole process could become a bottleneck or fall over completely.


> DNSSEC Transfers

> In relation to DNSSEC the following apply:

> Registrars that are not DNSSEC-capable must check if a name is signed

> before it is transferred in. If the name is signed then the

> registrar must notify the registrant of the implications of

> transferring in a signed name, and the registrant must confirm the

> transfer, before the registrar can initiate it.


If nothing is allowed to change during a transfer, particularly the name servers, then changing registrar should not have any impact on the operation of the domain.  The issue becomes more one of the losing registrar, if they are the DNS operator should not automatically remove the domain from their DNS following the transfer.


> The following cooperation and participation will be required by

> registrars, when involved in the transfer of a signed domain name,

> where the registrant wants to modify DNSSEC related information:


There needs to be some way to automate as much of this as possible.


> The gaining registrar must provide the new DNSKEY to the losing

> registrar.


If the Registrar is not the DNS operator, they are not going to have this unless it is supplied by the registrant.


> The losing registrar must add the new DNSKEY to their DNS for the

> domain name and continue to serve this until they are notified that

> the change is complete.


This presupposes that the losing registrar was the DNS operator, what if they were not ?


> The gaining registrar provides the DS Record to the losing registrar,

> who then provides it to the registry.


Shouldn't this be a problem between the gaining and losing DNS operators ? If the domain has already been transferred, then the gaining registrar who now has a relationship with the registrant can update the registry with the DS supplied by the registrant.


> Once the new DNSKEY and DS Record are visible to DNS resolvers then

> any changes to the name servers can be processed.


Again, this seems to be a DNS operator not a registrar issue to me.


> The name is then transferred.


I would have said that the domain is transfrred back at step one.  What I think this is trying to say is that the DNS service has been transferred which I don't believe is the same thing.


> The losing registrar must remove the domain name from their system

> when requested, but must not remove it before being requested to do

> so.


Again what if the losing registrar was not the DNS operator ?


> The gaining registrar can then delete the old DNSKEY provided by the

> losing registrar.


This seems to suggest that even if a losing registrar is not the DNS operator, they are going to have access to the current DNSKEY.  Is that actually going to be the case ?


It would seem to me that the transfer of a domain is actually straight forward and is really no different from what we currently have.  The issue seems to be more one of how we update name servers when the domain is DNSSEC enabled.


Before one compels registrars to assist, I think we need to be very clear about what assistance they are actually going to be able to give and what they are actually assisting with.