On Wed, Jan 08, 2020 at 06:00:06PM -0500, Viktor Dukhovni wrote:
> Well, there are various services where indeed the zone administrator signs
> records from authenticated, but otherwise untrusted customers, provided
> the RR owner is associated with the customer.
>
> For example, the .DE zone (which uses algorithm 8, so not subject to
> any SHA-1 issues) allows registrants that only need a handful of
> DNS records to have those records published directly in the .DE
> zone, without delegation.
>
> Other zones may make similar arrangements.
Or more simply, when Let's Encrypt, or some cloud provider asks you to
publish a TXT RR in your zone to prove zone control, how sure are you
that's not a hash collision in disguise?
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
