[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone

George Barwood george.barwood at blueyonder.co.uk
Sat Aug 14 06:56:23 UTC 2010

----- Original Message ----- 
From: "Jason Roysdon" <dns-operations.20100813 at jason.roysdon.net>
To: <dns-operations at mail.dns-oarc.net>
Sent: Saturday, August 14, 2010 1:58 AM
Subject: [dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone

>I am working on getting my DS record added to the DOT-US zone with
> Neustar.  In doing so, I found out they have a limitation of only
> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

Can I suggest to all registries that there is a lesson to be learned here?

Registries MUST NOT restrict the data in a DS records in any way,
except the total amount of data may be limited ( and this limit should not
be unreasonably low ).

In particular arbitrary algorithms and digest types MUST be allowed.

It is not the concern of the registry what the child wants published,
and attempting to restrict this will only lead to problems in future.

Such restrictions are contrary to the DNS standard.

More information about the dns-operations mailing list