Hi colleagues, the SSAC has published SAC126. ### DNSSEC Delegation Signer (DS) Record Automation (SAC126): The report focuses on the challenges associated with managing Delegation Signer (DS) records in the deployment of DNS Security Extensions (DNSSEC), particularly when a domain's DNS service is operated by a third-party DNS operator rather than the registrar. The report covers the following key points: · Complexity in DNSSEC Deployment: DNSSEC deployment is complicated, particularly in managing DS records, which are crucial for linking a child domain's DNSSEC information to its parent zone. · Responsibility for DS Maintenance: When a third-party DNS operator (not the registrar) manages the domain’s DNS, the registrant is responsible for coordinating the DS record maintenance. This involves obtaining DNSSEC key parameters from the DNS operator and passing them through the registrar to the registry. · Challenges of Manual Processes: The process often requires the registrant to engage with various idiosyncratic interfaces across different DNS operators and registrars, leading to potential errors due to complexity and a mismatch with the registrant's knowledge. · Need for Automation: Automating DS record management can alleviate these issues, allowing registries or registrars to update DS records without human involvement. Several approaches exist, such as having the parent zone (registry or registrar) pull information from the Child DNS operator. · Standardization and Best Practices: Although there are IETF standards for some approaches, gaps remain in efficiency and error handling. The SSAC recommends that the domain name industry work towards fully automating DS record management, establishing best practices and improving standards to make DNSSEC deployment smoother and more reliable. Link to the report: https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee.... Have a nice evening! Best, Matthias