[dns-operations] any registries require DNSKEY not DS?

Warren Kumari warren at kumari.net
Thu Jan 23 02:51:28 UTC 2020 

On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:
>
> > Are there any registries that configure secure delegations from DNSKEY
> > records (and do their own conversion to DS records) rather than accepting
> > DS records from the registrant?
>
> In answer to the converse question, at least some registries appear to
> allow (or have allowed in the past) DS RRs with unverified content:


This actually seems OK to me -- nonsensical, but OK. The DS record
"belongs" to the child, and so I feel like, as long as it isn't
harmful to the parent / the Internet, the child can put whatever
silliness in there that they would like.
If I chose to hand my parent an NS record with 192.168.0.22 as the
address, I'd expect them to publish it -- I understand (and
appreciate) that some ccTLDs perform sanity checks, and have various
policies they they will only accept "good" data, but that's an
explicit choice by them - absent such a policy, I think I should be
able to add a DS with algorithm 42, digest type of 17, and rdata of
badc0ffee.

If the parent makes the DS for me from my DNSKEY, well, then the DS
suddently "feels" like it belongs more to the parent than the child,
but this is starting to get into the "I no longer know why I believe
what I believe" territory (and is internally inconsistent), so I'll
just stop thinking about this and go shopping instead :-)


W

>
>             domain           | alg | digest type
>     -------------------------+-----+------------
>     <aaaaaaa>.go.leg.br      |   8 |    0
>     <aaaaaaa>.go.leg.br      |   8 |    1
>     <bbbbbbbbbbbb>.pr.leg.br |   8 |    0
>     <cccccc>.sp.leg.br       |   8 |    0
>     <ddddd>.se               |  13 |    8
>     <eeee>.se                |   8 |   61
>
> The above 5 (obfuscated) domains have DS RRs with digest types outside
> the registered IANA codepoints:
>
>     https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
>
> though the first also has a valid codepoint.
>
> Among domains with at least one valid DNSKEY at least two have
> additional keys with out of range codepoints, that were either not
> checked by the parent, or added after the initial DS enrolment:
>
>           domain        | alg | flags | inception
>     --------------------+-----+-------+------------
>     <aaaaa>.eu          | 157 |     0 | <predates survey>
>     <aaaaa>.eu          |   7 |   256 |  -"-
>     <aaaaa>.eu          |   7 |   257 |  -"-
>     <bbbbbbbbbbbbb>.net |   7 |   256 |  -"-
>     <bbbbbbbbbbbbb>.net |   7 |   257 |  -"-
>     <bbbbbbbbbbbbb>.net | 165 |   512 | 2019-02-23
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the dns-operations mailing list