[dns-operations] any registries require DNSKEY not DS?
Florian Weimer
fw at deneb.enyo.de
Thu Jan 23 20:38:00 UTC 2020
* Warren Kumari:
> On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>
>> On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:
>>
>> > Are there any registries that configure secure delegations from DNSKEY
>> > records (and do their own conversion to DS records) rather than accepting
>> > DS records from the registrant?
>>
>> In answer to the converse question, at least some registries appear to
>> allow (or have allowed in the past) DS RRs with unverified content:
>
>
> This actually seems OK to me -- nonsensical, but OK.
It makes attacks on the underlying hash function for the DS record
easier. Constructing colliding prefixes is much harder if the prefix
itself contains the hash over something else (because you also have to
construct that something).
More information about the dns-operations
mailing list