[dns-operations] thoughts on DNSSEC

Vernon Schryver vjs at rhyolite.com
Thu Jul 19 18:18:49 UTC 2012

> From: James M Galvin <galvin at elistx.com>

> ...
> For the remaining 20% I'll assert that they are technically competent, 
> which means if they have fat finger issues, well, we've all had those 
> problems.  You get what you deserve and pay for.  What I mean is, these 
> folks will either be doing their DNS themselves, because they can, or 
> ...

I've been trying to get the trivial domains for which I'm authoritative
signed all week.  This experience suggests that a DS RR problem
would probably be worse than 2 days even without a holiday.

One of problems I've found is that ARIN's reverse DNS DS parser web
page can't handle the blanks that the BIND tools insert in long records.
The Verisign portal that my registrar uses seems to have the same
problem and the people there seem to lack sufficient experience to
work around it.  Would it make sense for dig, dnssec-dsfromkey, etc.
to not insert those those blanks?

As for sending DS RRsets to a registrar by mail, why don't they
use something like this with recent versions of dnssec-dsfromkey?
  dig example.com dnskey | dnssec-dsfromkey -f - example.com
That seems more secure than unauthenticated mail and less vulernable
to mail software breaking long lines or encrypting them as

What about always using both types of DS record?  Why does everyone
publish both SHA-1 and SHA-256 digests?  RFC 4509 is more than 6
years old.


} From: Paul Vixie <paul at redbarn.org>

} On 7/19/2012 4:55 PM, David Conrad wrote:

} >>                                         Maybe I should give up 
} >> tilting at this windmill and live with DLV for now.  

} > IMHO, I think this sends the wrong message.  One of the highest
} > bandwidth signals a for profit companies can receive is money walking
} > ...

} i agree. the better answer is to reward with your business those
} registrars who adopt the technologies you need.

It's hard to know about money walking away.  Many people don't tell
vendors exactly why they are walking.  They often leave without a word.

It might help if the list of DLV users could be published, perhaps
by allowing zone transfers.  Of course, an enterprising registrar
could do a market survey with some NSEC walking in dlv.isc.org.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list