[dns-operations] [Ext] Re: help with a resolution
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jan 8 23:36:49 UTC 2020
On Wed, Jan 08, 2020 at 06:00:06PM -0500, Viktor Dukhovni wrote:
> Well, there are various services where indeed the zone administrator signs
> records from authenticated, but otherwise untrusted customers, provided
> the RR owner is associated with the customer.
>
> For example, the .DE zone (which uses algorithm 8, so not subject to
> any SHA-1 issues) allows registrants that only need a handful of
> DNS records to have those records published directly in the .DE
> zone, without delegation.
>
> Other zones may make similar arrangements.
Or more simply, when Let's Encrypt, or some cloud provider asks you to
publish a TXT RR in your zone to prove zone control, how sure are you
that's not a hash collision in disguise?
--
Viktor.
More information about the dns-operations
mailing list