[EPP-discuss] Is DNSSEC really something we should automate on .dk?

From: Peter Larsen <peter.larsen_at_larsendata.dk>
Date: Wed, 20 Dec 2017 12:00:40 +0100


This is the EPP list, I’m aware of that, but I need to vent something.

As a first mover on DNSSEC it’s always joyful to do revisit something that did not work, and still does not work.

In dk-hostmaster they invented DSU, or DS update. to be fair, it could have been working fine, but it’s just yet another api/implementation for something that do exist. We are never going to use it.

DNSSEC is a part of the EPP service provided, DNSSEC is also in the selfservice WEBinterface


EPP and DSU kan be used for automatic updates

WEBinterface is for manual updates

Both EPP and WEBinterface are "current developed" and recent released, DSU have been… unspoken off, since always.

implementation wise:

show current keys and ownership:
EPP and DSU lacks support of showing a list of current keys and ownership.
WEBinterface have support of showing a list of current keys and ownership.

Delete and deactivate current keys
EPP and DSU you cant delete a key you don’t “own” … you only own keys you put there, unless you are the registrant, and only have DSU access, then you can delete keys. But you can’t get a list of current keys (both EPP and DSU).
WEBinterface you still can’t delete the registrant’s DS keys, but you can deactivate it, witch does exactly the same, it removes the key from the dk. zone. The WEBinterface can list the keys.

At least we should be able to do the same things with different interfaces. I really do not understand how someone can miss DNSSEC keys in EPP domain info, and why we can’t “deactivate”/delete keys in EPP, we can call it “remove”, you can “deactivate it”, I don’t give a rats ass about semantics, the fact is that I can “delete” a DS key that the user set on the webinterface, so I should not be greeted with "<result code=“2201”><msg>DS set found, but you are not owner</msg> </result>” in EPP.

There must be a minimum functionality specs somewhere. For all systems..

So now I have the choice of automation of the WEBinterface, scrape it like good old times.


Manually fix around 2000 DS keys.. (this is where early implementation sucks)

We could also just get implementations that do not suck as much, thats what I wish for Christmas this year. Please wrap it up nicely and place it under my Christmas tree. Full functional EPP service. I would even just do with the commands already implemented, but I want full output.

Merry Christmas

regards, Peter Larsen - ICANN Accredited registrar

My info: http://larsen.tel
Company info: http://larsendata.tel
Received on Wed Dec 20 2017 - 12:00:40 CET

This archive was generated by hypermail 2.3.0 : Wed Dec 20 2017 - 12:01:01 CET