[dns-operations] any registries require DNSKEY not DS?

Marc Groeneweg marc.groeneweg at sidn.nl
Thu Jan 23 09:09:49 UTC 2020


All,

Yes, SIDN is still using DNSKEY for reasons stated by Antoin in the past. 

Regards,
Marc

    On Wed, Jan 22, 2020 at 5:26 PM Tony Finch <dot at dotat.at> wrote:
    >
    > Are there any registries that configure secure delegations from DNSKEY
    > records (and do their own conversion to DS records) rather than accepting
    > DS records from the registrant?
    
    I believe that at least SIDN used to (and perhaps still does) - this
    was one of the reasons that the CDS record is actually CDS/CDNSKEY.
    
    When I first heard this I was confused as to why they'd do this -- but
    then Antoin Verschuren / Cristian explained that they'd like to make
    sure that a good hash is being used, and suddenly I started wondering
    why this isn't the default...:-)
    
    I *think* that someone from .ca (perhaps Jacques or Matt) said that
    they also allow DNSKEYs -- but this is all from 2014 timetrams, and my
    memory is (sadly) paging that out...
    W
    
    > I think I have heard that .de is one.
    > Looking at OpenSRS as an example of a registrar that supports lots of
    > TLDs, I see that they don't support DNSSEC for .de
    > http://opensrs.help/chart and their API only supports DS records
    > https://domains.opensrs.guide/docs/set_dnssec_info
    >
    > Also, I am uncomfortable with the endianness of their support domain names...
    >
    > Tony.
    > --
    > f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
    > responsible stewardship of the earth and its resources
    > _______________________________________________
    > dns-operations mailing list
    > dns-operations at lists.dns-oarc.net
    > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
    
    
    
    --
    I don't think the execution is relevant when it was obviously a bad
    idea in the first place.
    This is like putting rabid weasels in your pants, and later expressing
    regret at having chosen those particular rabid weasels and that pair
    of pants.
       ---maf
    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://lists.dns-oarc.net/mailman/listinfo/dns-operations
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4702 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200123/742c6520/attachment.bin>


More information about the dns-operations mailing list