> It's something that a signer solution should really check for before > allowing a zone to be pushed, even if that means some kind of internet > connectivity to get those DS records.
If a "signer solution" is something done by, for, or in a parent domain (e.g. the gTLD operator, registry, or registrar), thanks but no thanks. Neither ARIN nor Tucows/OpenDS could handle RFC standard DS RRs last year. ARIN choked on perfectly legal blanks from various BIND9 tools to sign PTR RRs. Tucows/OpenDNS seemed to just choked on .net and .com DNSSEC, after saying something about NetworkSolutions having trouble with the blanks. Never mind that I'm not a fan of those blanks and find them confusing, because I'm merely human and not part of a "signer solution." My reading between the lines of recent Network Solutions Linkedin and the other 5,000 or 50,000 domains kerfuffle is that problem was in just such "user friendly" (in the very bad old IE sense) machinery. An authorized authority should be just as free to push, publish, upload, etc. strange, odd, or just plain bad DNSSEC RRs as any other type. Authorized authorities should be able to hire nannies to hold their hands if they want, but hand holding should not be the default, not even if you exclude the long time usual suspect sources of "innocent" DNS chaos. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
