[dns-operations] [Ext] Re: help with a resolution

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 8 23:00:06 UTC 2020


On Wed, Jan 08, 2020 at 10:45:54PM +0000, Paul Hoffman wrote:

> However, in DNSSEC, what is the scenario where "I" can get "you" to sign an
> RRset? Aren't RRsets all signed by their owner, the creator of the RRset? If
> I'm a signer and I'm willing to sign something that I didn't create, I
> already have a lot of problems already.

Well, there are various services where indeed the zone administrator signs
records from authenticated, but otherwise untrusted customers, provided
the RR owner is associated with the customer.

For example, the .DE zone (which uses algorithm 8, so not subject to
any SHA-1 issues) allows registrants that only need a handful of
DNS records to have those records published directly in the .DE
zone, without delegation.

Other zones may make similar arrangements.

-- 
    Viktor.



More information about the dns-operations mailing list