[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
David Conrad
drc at virtualized.org
Sat Aug 14 07:12:24 UTC 2010
While I agree, is it the registry placing the restriction or the registrar?
Regards,
-drc
On Aug 13, 2010, at 11:56 PM, George Barwood wrote:
> ----- Original Message -----
> From: "Jason Roysdon" <dns-operations.20100813 at jason.roysdon.net>
> To: <dns-operations at mail.dns-oarc.net>
> Sent: Saturday, August 14, 2010 1:58 AM
> Subject: [dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
>
>
>> I am working on getting my DS record added to the DOT-US zone with
>> Neustar. In doing so, I found out they have a limitation of only
>> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
>> RSA/SHA1:
>> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
>
>
> Can I suggest to all registries that there is a lesson to be learned here?
>
> Registries MUST NOT restrict the data in a DS records in any way,
> except the total amount of data may be limited ( and this limit should not
> be unreasonably low ).
>
> In particular arbitrary algorithms and digest types MUST be allowed.
>
> It is not the concern of the registry what the child wants published,
> and attempting to restrict this will only lead to problems in future.
>
> Such restrictions are contrary to the DNS standard.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list