[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone

Jason Roysdon dns-operations.20100813 at jason.roysdon.net
Sat Aug 14 14:25:34 UTC 2010


In this case it is both, so I cannot say for sure which.  Let me
explain.  Neustar is both the Registry and Registrar in this case, as
this is a 4th-level Locality .US domain that is delegated directly from
the .US ccTLD.  Once there are other .US Registrars offering DNSSEC
services available, we'll see if it is just the way Neustar as a
Registrar implemented it, or if it is a Registry restriction they have
imposed.  Neustar does not yet offer a list of Registrars which offer
DNSSEC services, and I would not use one as my 4th-level Locality domain
is free, forever.

Jason Roysdon
http://jason.roysdon.net/

On 08/14/2010 12:12 AM, David Conrad wrote:
> While I agree, is it the registry placing the restriction or the registrar?
> 
> Regards,
> -drc
> 
> On Aug 13, 2010, at 11:56 PM, George Barwood wrote:
>> ----- Original Message ----- 
>> From: "Jason Roysdon" <dns-operations.20100813 at jason.roysdon.net>
>> To: <dns-operations at mail.dns-oarc.net>
>> Sent: Saturday, August 14, 2010 1:58 AM
>> Subject: [dns-operations] DNSSEC DS record generation for DOT-US from NSEC3signed-zone
>>
>>
>>> I am working on getting my DS record added to the DOT-US zone with
>>> Neustar.  In doing so, I found out they have a limitation of only
>>> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
>>> RSA/SHA1:
>>> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
>>
>>
>> Can I suggest to all registries that there is a lesson to be learned here?
>>
>> Registries MUST NOT restrict the data in a DS records in any way,
>> except the total amount of data may be limited ( and this limit should not
>> be unreasonably low ).
>>
>> In particular arbitrary algorithms and digest types MUST be allowed.
>>
>> It is not the concern of the registry what the child wants published,
>> and attempting to restrict this will only lead to problems in future.
>>
>> Such restrictions are contrary to the DNS standard.



More information about the dns-operations mailing list