[dns-operations] any registries require DNSKEY not DS?
John W. O'Brien
john at saltant.com
Thu Jan 23 03:33:26 UTC 2020
On 2020/01/22 17:13, Tony Finch wrote:
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant? I think I have heard that .de is one.
> Looking at OpenSRS as an example of a registrar that supports lots of
> TLDs, I see that they don't support DNSSEC for .de
> http://opensrs.help/chart and their API only supports DS records
> https://domains.opensrs.guide/docs/set_dnssec_info
>
> Also, I am uncomfortable with the endianness of their support domain names...
>
> Tony.
>
I'm not sure whether any *registries* require DNSKEY vs DS, but I am
familiar with differences among *registrars* via direct and recent (on
the order of hours and days) experience with updating DS records for
COM, NET, ORG, ARPA, and EDU.
COM via GKG: DS
NET via GKG: DS
NET via gandi: DNSKEY
ORG via GKG: DS
ORG via gandi: DNSKEY
ARPA via ARIN: DS
EDU via EDUCAUSE: DS
The only evidence I observed/recall that a registrar attempted to
validate the supplied parameters is that GKG warned upon submission
before accepting and allowed override.
--
John W. O'Brien
OpenPGP keys:
0x33C4D64B895DBF3B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200122/0c05db7e/attachment.sig>
More information about the dns-operations
mailing list