[dns-operations] any registries require DNSKEY not DS?
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Jan 23 02:06:21 UTC 2020
On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant?
In answer to the converse question, at least some registries appear to
allow (or have allowed in the past) DS RRs with unverified content:
domain | alg | digest type
-------------------------+-----+------------
<aaaaaaa>.go.leg.br | 8 | 0
<aaaaaaa>.go.leg.br | 8 | 1
<bbbbbbbbbbbb>.pr.leg.br | 8 | 0
<cccccc>.sp.leg.br | 8 | 0
<ddddd>.se | 13 | 8
<eeee>.se | 8 | 61
The above 5 (obfuscated) domains have DS RRs with digest types outside
the registered IANA codepoints:
https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
though the first also has a valid codepoint.
Among domains with at least one valid DNSKEY at least two have
additional keys with out of range codepoints, that were either not
checked by the parent, or added after the initial DS enrolment:
domain | alg | flags | inception
--------------------+-----+-------+------------
<aaaaa>.eu | 157 | 0 | <predates survey>
<aaaaa>.eu | 7 | 256 | -"-
<aaaaa>.eu | 7 | 257 | -"-
<bbbbbbbbbbbbb>.net | 7 | 256 | -"-
<bbbbbbbbbbbbb>.net | 7 | 257 | -"-
<bbbbbbbbbbbbb>.net | 165 | 512 | 2019-02-23
--
Viktor.
More information about the dns-operations
mailing list