On 22/01/2020 17:53, Warren Kumari wrote: > When I first heard this I was confused as to why they'd do this -- but > then Antoin Verschuren / Cristian explained that they'd like to make > sure that a good hash is being used, and suddenly I started wondering > why this isn't the default...:-)
The IANA TLD template for changes, even if done through a website now and not by email, asks for the DS, not the DNSKEY: https://www.iana.org/domains/root/tld-change-template.txt One data point merely on this question about which case is right or not. The EPP secDNS option allows both, in fact three: DS, DNSKEY, or DNSKEY+DS On a non technical level it is more about who really controls the DS record at parent. If a child want suddenly to try new things, or new algorithms come and stuff like that, if you have to send the DNSKEY to the parent then you are limited by what choices the parent give to you and you may not be able to have the specific DS you would like. Some will prefer to have safeguards ("parent should make sure child does not shoots itself in the foot"), others will prefer to be "agile" and have full liberty (and hence full power to shoots itself in the foot). Registrants have exact same problem when they want their registrar just to forward their desired DS record to registry, irrespective to what the registrar knows and does about DNSSEC. Some will prefer to have a specific UI that validates everything before sending to registry (which can make sense in case the registry gives the registrar penalties for faulty commands), and hence loosing some liberty, and others will prefer to have the registrar just send the string as an opaque blob and let end registrant deal with problems. It also depends what a "good hash" is. If it is just filtering on the key algorithm/key digest type, those information are in the data send by registrar to registry, so the DS record is enough for this check. If the registry wants to do DNSSEC checks completely it would have to do live DNS queries at the child anyway to see what it really publishes as DNSKEY not what it says - through EPP - that it would publish. It is the same problem as doing DNS delegation validation at the moment you want to change nameservers (to check new ones are properly configured) vs doing them "randomly" during the life of a domain (or at least not just once at delegation time but after also). -- Patrick Mevzek _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations