[dns-operations] any registries require DNSKEY not DS?
Frederico A C Neves
fneves at registro.br
Thu Jan 23 20:05:03 UTC 2020
On Wed, Jan 22, 2020 at 09:06:21PM -0500, Viktor Dukhovni wrote:
> On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:
>
> > Are there any registries that configure secure delegations from DNSKEY
> > records (and do their own conversion to DS records) rather than accepting
> > DS records from the registrant?
>
> In answer to the converse question, at least some registries appear to
> allow (or have allowed in the past) DS RRs with unverified content:
>
> domain | alg | digest type
> -------------------------+-----+------------
> <aaaaaaa>.go.leg.br | 8 | 0
> <aaaaaaa>.go.leg.br | 8 | 1
> <bbbbbbbbbbbb>.pr.leg.br | 8 | 0
> <cccccc>.sp.leg.br | 8 | 0
Just as a matter of clarification, those fourth level "grandchild"
delegations are beyond the registry control. The third level ones are
totally correct.
Fred
More information about the dns-operations
mailing list