Hi Q, On 7/25/25 12:05, Q Misell wrote:
Dearest fellow DNS sufferers,
:-)
My issue with the draft is on its recommendations for registry lock, particularly: "Automated DS maintenance SHOULD be suspended when a registry lock is set (in particular, EPP lock serverUpdateProhibited)" I don't like this. serverUpdateProhibited is normally utilised to prevent changing the registrant of a domain, or changing (non-DNSSEC) nameservers - primarily in the case of a malitious party getting access to a registar's EPP connection. However, in the case of a CDS key rollover we know the key rollover is intentional, as it is cryptographically signed.
This may be an option, if the automation is performed by the registry. However, do you think DS automation done by the registrar is compatible with a registry lock à la serverUpdateProhibited? Best, Peter _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
