[dns-operations] Support for ED25519/ED448 DS records by OpenSRS

Florian Weimer fw at deneb.enyo.de
Fri Feb 19 19:01:48 UTC 2021


* Simon Arlott via dns-operations:

> Supposedly it is to protect registrants from bad data but it would be
> trivial to simply enter the wrong numbers in the individual component DS
> record web forms that everyone is fond of.

The registry signs the DS RRset with its own key.  It's good practice
to apply as many checks as possible when signing data supplied by
untrusted parties.  Having to show the DNSKEY record for a DS record
makes sure the embedded hash in the DS record is genuine, which
prevents all known evil twin attacks on cryptographic signature
schemes.  SHA-256 is not publicly known to be broken as of today, of
course, but if that changes, such evil twin attacks are likely the
first ones to arrive (see MD5 and SHA-1).  DS data checking looks like
a reasonable way to increase the safety margin.



More information about the dns-operations mailing list