On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote:
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant?
In answer to the converse question, at least some registries appear to
allow (or have allowed in the past) DS RRs with unverified content:
domain | alg | digest type
-------------------------+-----+------------
<aaaaaaa>.go.leg.br | 8 | 0
<aaaaaaa>.go.leg.br | 8 | 1
<bbbbbbbbbbbb>.pr.leg.br | 8 | 0
<cccccc>.sp.leg.br | 8 | 0
<ddddd>.se | 13 | 8
<eeee>.se | 8 | 61
The above 5 (obfuscated) domains have DS RRs with digest types outside
the registered IANA codepoints:
https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
though the first also has a valid codepoint.
Among domains with at least one valid DNSKEY at least two have
additional keys with out of range codepoints, that were either not
checked by the parent, or added after the initial DS enrolment:
domain | alg | flags | inception
--------------------+-----+-------+------------
<aaaaa>.eu | 157 | 0 | <predates survey>
<aaaaa>.eu | 7 | 256 | -"-
<aaaaa>.eu | 7 | 257 | -"-
<bbbbbbbbbbbbb>.net | 7 | 256 | -"-
<bbbbbbbbbbbbb>.net | 7 | 257 | -"-
<bbbbbbbbbbbbb>.net | 165 | 512 | 2019-02-23
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
