[dns-operations] any registries require DNSKEY not DS?

Patrick Mevzek mevzek at uniregistry.com
Wed Jan 22 23:26:17 UTC 2020 

On 22/01/2020 17:53, Warren Kumari wrote:
> When I first heard this I was confused as to why they'd do this -- but
> then Antoin Verschuren / Cristian explained that they'd like to make
> sure that a good hash is being used, and suddenly I started wondering
> why this isn't the default...:-)

The IANA TLD template for changes, even if done through a website now
and not by email, asks for the DS, not the DNSKEY:

https://www.iana.org/domains/root/tld-change-template.txt

One data point merely on this question about which case is right or not.
The EPP secDNS option allows both, in fact three: DS, DNSKEY, or DNSKEY+DS

On a non technical level it is more about who really controls the DS
record at parent. If a child want suddenly to try new things, or new
algorithms come and stuff like that, if you have to send the DNSKEY to
the parent then you are limited by what choices the parent give to you
and you may not be able to have the specific DS you would like. Some
will prefer to have safeguards ("parent should make sure child does not
shoots itself in the foot"), others will prefer to be "agile" and have
full liberty (and hence full power to shoots itself in the foot).

Registrants have exact same problem when they want their registrar just
to forward their desired DS record to registry, irrespective to what the
registrar knows and does about DNSSEC. Some will prefer to have a
specific UI that validates everything before sending to registry (which
can make sense in case the registry gives the registrar penalties for
faulty commands), and hence loosing some liberty, and others will prefer
to have the registrar just send the string as an opaque blob and let end
registrant deal with problems.

It also depends what a "good hash" is. If it is just filtering on the
key algorithm/key digest type, those information are in the data send by
registrar to registry, so the DS record is enough for this check.

If the registry wants to do DNSSEC checks completely it would have to do
live DNS queries at the child anyway to see what it really publishes as
DNSKEY not what it says - through EPP - that it would publish.

It is the same problem as doing DNS delegation validation at the moment
you want to change nameservers (to check new ones are properly
configured) vs doing them "randomly" during the life of a domain (or at
least not just once at delegation time but after also).

-- 
Patrick Mevzek

More information about the dns-operations mailing list