[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
drc at virtualized.org
Sat Aug 14 07:12:24 UTC 2010
While I agree, is it the registry placing the restriction or the registrar?
On Aug 13, 2010, at 11:56 PM, George Barwood wrote:
> ----- Original Message -----
> From: "Jason Roysdon" <dns-operations.20100813 at jason.roysdon.net>
> To: <dns-operations at mail.dns-oarc.net>
> Sent: Saturday, August 14, 2010 1:58 AM
> Subject: [dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
>> I am working on getting my DS record added to the DOT-US zone with
>> Neustar. In doing so, I found out they have a limitation of only
>> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
> Can I suggest to all registries that there is a lesson to be learned here?
> Registries MUST NOT restrict the data in a DS records in any way,
> except the total amount of data may be limited ( and this limit should not
> be unreasonably low ).
> In particular arbitrary algorithms and digest types MUST be allowed.
> It is not the concern of the registry what the child wants published,
> and attempting to restrict this will only lead to problems in future.
> Such restrictions are contrary to the DNS standard.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations