[gtld-tech] .DESI to Be Placed in the Emergency Back-end Registry Operator Program
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Oct 17 19:07:23 UTC 2023
On Tue, Oct 17, 2023 at 12:38:13PM +0000, Francisco Arias via gtld-tech wrote:
> ICANN is transferring the operation of the .DESI gTLD to an Emergency
> Back-end Registry Operator (EBERO) to ensure the continued operation
> of the generic top-level domain (gTLD) and protect registrants. As
> part of this transfer, .DESI has transitioned from a secure DNSSEC
> state to an insecure DNSSEC state (i.e., the DS records for .DESI have
> been removed from the root zone). After the transfer, ICANN will work
> with the designated EBERO provider to transition the .DESI gTLD back
> to a secure state (i.e., signing the zone for .DESI and adding new DS
> records for .DESI in the root zone). After evaluating available
> options, we believe the temporary move to an insecure state was the
> best available option.
I gather a graceful key rollover from the current algorithm 8
(RSASHA256) KSK to a new KSK for the same algorithm at the new operator
was not an option?
All that this would have required of the new operator is to add the new
providers KSK and ZSK to the DNSKEY RRset, augment the zone apex NS
RRset and resign the zone.
So presumably the prior operator was unable and/or unwilling to sign
updated zone apex DNSKEY and RRsets?
Or was this just a "risk" decision. It would be reassuring to know that
for more "critical" zones there is, when/if needed, a more graceful,
known to work process.
--
Viktor.
More information about the gtld-tech
mailing list