<div><br>
<br>
On Thu, Jan 23, 2020 at 3:39 PM Florian Weimer <<a href="mailto:fw@deneb.enyo.de" target="_blank">fw@deneb.enyo.de</a>> wrote:<br>
><br>
> * Warren Kumari:<br>
><br>
> > On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank">ietf-dane@dukhovni.org</a>> wrote:<br>
> >><br>
> >> On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:<br>
> >><br>
> >> > Are there any registries that configure secure delegations from DNSKEY<br>
> >> > records (and do their own conversion to DS records) rather than accepting<br>
> >> > DS records from the registrant?<br>
> >><br>
> >> In answer to the converse question, at least some registries appear to<br>
> >> allow (or have allowed in the past) DS RRs with unverified content:<br>
> ><br>
> ><br>
> > This actually seems OK to me -- nonsensical, but OK.<br>
><br>
> It makes attacks on the underlying hash function for the DS record<br>
> easier. Constructing colliding prefixes is much harder if the prefix<br>
> itself contains the hash over something else (because you also have to<br>
> construct that something).<br>
<br></div><div><div dir="auto">
That's fair - but that's more of a (good) argument for the parent calculating the DS from the DNSKEY than not allowing children to put in things like unregistered algorithm/ hash types. We’ve had lots of deployment issues with things like restrictive registrar web interfaces that don’t allow users to enter valid DS records because they haven’t been updated yet; there is a trade off between protecting users from themselves, and agility...</div><div dir="auto"><br></div><div dir="auto">W</div><br></div><div>
<br>
<br>
<br>
<br>
-- <br>
I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br>
---maf<br>
</div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf</div>