[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone

David Conrad drc at virtualized.org
Sat Aug 14 07:12:24 UTC 2010

While I agree, is it the registry placing the restriction or the registrar?


On Aug 13, 2010, at 11:56 PM, George Barwood wrote:
> ----- Original Message ----- 
> From: "Jason Roysdon" <dns-operations.20100813 at jason.roysdon.net>
> To: <dns-operations at mail.dns-oarc.net>
> Sent: Saturday, August 14, 2010 1:58 AM
> Subject: [dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
>> I am working on getting my DS record added to the DOT-US zone with
>> Neustar.  In doing so, I found out they have a limitation of only
>> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
>> RSA/SHA1:
>> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
> Can I suggest to all registries that there is a lesson to be learned here?
> Registries MUST NOT restrict the data in a DS records in any way,
> except the total amount of data may be limited ( and this limit should not
> be unreasonably low ).
> In particular arbitrary algorithms and digest types MUST be allowed.
> It is not the concern of the registry what the child wants published,
> and attempting to restrict this will only lead to problems in future.
> Such restrictions are contrary to the DNS standard.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list