> [Peter] However, do you think DS automation done by the registrar is compatible with a registry lock à la serverUpdateProhibited?
No, it isn't. There isn't really a way for the registrar to prove to the registry that it verified the right bits to do this rollover, so it shouldn't be allowed under serverUpdateProhibited. > [Scott] The intention is to ensure that no one but the EPP server operator is able to update the domain object. This, to me, fits into what I said. serverUpdateProhibited stops the registrar doing a rollover, but does not stop the registry (as the EPP server) from doing so. > [Peter] I've updated the draft to reflect this new understanding I agree with the new recommendations you've written. Q Ar Iau, 7 Awst 2025 am 19:25 Peter Thomassen <peter= [email protected]> ysgrifennodd: > Hi Q, > > On 7/25/25 12:05, Q Misell wrote: > > Dearest fellow DNS sufferers, > > :-) > > > My issue with the draft is on its recommendations for registry lock, > particularly: > > > > "Automated DS maintenance SHOULD be suspended when a registry lock is > set (in particular, EPP lock serverUpdateProhibited)" > > > > I don't like this. serverUpdateProhibited is normally utilised to > prevent changing the registrant of a domain, or changing (non-DNSSEC) > nameservers - primarily in the case of a malitious party getting access to > a registar's EPP connection. However, in the case of a CDS key rollover we > know the key rollover is intentional, as it is cryptographically signed. > > This may be an option, if the automation is performed by the registry. > However, do you think DS automation done by the registrar is compatible > with a registry lock à la serverUpdateProhibited? > > Best, > Peter >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
