Hi Scott,
On 8/7/25 20:04, Hollenbeck, Scott wrote:
"Automated DS maintenance SHOULD be suspended when a registry lock is
set (in particular, EPP lock serverUpdateProhibited)"
I don't like this. serverUpdateProhibited is normally utilised to prevent
changing the registrant of a domain, or changing (non-DNSSEC) nameservers -
primarily in the case of a malitious party getting access to a registar's EPP
connection. However, in the case of a CDS key rollover we know the key rollover
is intentional, as it is cryptographically signed.
This may be an option, if the automation is performed by the registry. However,
do you think DS automation done by the registrar is compatible with a registry
lock à la serverUpdateProhibited?
[SAH] It may help to review what RFC 5731 says about the status:
"Requests to update the object (other than to remove this status) MUST be
rejected."
The intention is to ensure that no one but the EPP server operator is able to
update the domain object.
Thank you for this pointer and clarification. I take it that the word
"requests" in the above sentence refers to requests from the EPP client, i.e.,
EPP requests sent by the registrar.
I've updated the draft to reflect this new understanding. It now says:
4.1. Recommendations
1. To secure ongoing operations, automated DS maintenance SHOULD NOT
be suspended based on a registrar update lock alone (such as EPP
status clientUpdateProhibited).
2. When performed by the registry, automated DS maintenance SHOULD
NOT be suspended based on a registry update lock alone (such as
EPP status serverUpdateProhibited).
... with the updated rationale reflecting the above.
Best,
Peter
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
