> -----Original Message----- > From: Peter Thomassen <[email protected]> > Sent: Thursday, August 7, 2025 1:25 PM > To: Q Misell <[email protected]>; dnsop <[email protected]> > Subject: [EXTERNAL] [DNSOP] Re: serverUpdateProhibited and draft-shetho- > dnsop-ds-automation > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content is > safe. > > Hi Q, > > On 7/25/25 12:05, Q Misell wrote: > > Dearest fellow DNS sufferers, > > :-) > > > My issue with the draft is on its recommendations for registry lock, > particularly: > > > > "Automated DS maintenance SHOULD be suspended when a registry lock is > set (in particular, EPP lock serverUpdateProhibited)" > > > > I don't like this. serverUpdateProhibited is normally utilised to prevent > changing the registrant of a domain, or changing (non-DNSSEC) nameservers - > primarily in the case of a malitious party getting access to a registar's EPP > connection. However, in the case of a CDS key rollover we know the key > rollover > is intentional, as it is cryptographically signed. > > This may be an option, if the automation is performed by the registry. > However, > do you think DS automation done by the registrar is compatible with a registry > lock à la serverUpdateProhibited?
[SAH] It may help to review what RFC 5731 says about the status: "Requests to update the object (other than to remove this status) MUST be rejected." The intention is to ensure that no one but the EPP server operator is able to update the domain object. This can happen for protection reasons (such as described above), but it can also happen for other reasons, like non-payment of fees. If the EPP server operator says "no updates", the best approach is to honor that. Work with the server operator to remove the status if it's an issue for a CDS key rollover. Scott _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
