On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the registrant? > > In answer to the converse question, at least some registries appear to > allow (or have allowed in the past) DS RRs with unverified content:
This actually seems OK to me -- nonsensical, but OK. The DS record "belongs" to the child, and so I feel like, as long as it isn't harmful to the parent / the Internet, the child can put whatever silliness in there that they would like. If I chose to hand my parent an NS record with 192.168.0.22 as the address, I'd expect them to publish it -- I understand (and appreciate) that some ccTLDs perform sanity checks, and have various policies they they will only accept "good" data, but that's an explicit choice by them - absent such a policy, I think I should be able to add a DS with algorithm 42, digest type of 17, and rdata of badc0ffee. If the parent makes the DS for me from my DNSKEY, well, then the DS suddently "feels" like it belongs more to the parent than the child, but this is starting to get into the "I no longer know why I believe what I believe" territory (and is internally inconsistent), so I'll just stop thinking about this and go shopping instead :-) W > > domain | alg | digest type > -------------------------+-----+------------ > <aaaaaaa>.go.leg.br | 8 | 0 > <aaaaaaa>.go.leg.br | 8 | 1 > <bbbbbbbbbbbb>.pr.leg.br | 8 | 0 > <cccccc>.sp.leg.br | 8 | 0 > <ddddd>.se | 13 | 8 > <eeee>.se | 8 | 61 > > The above 5 (obfuscated) domains have DS RRs with digest types outside > the registered IANA codepoints: > > https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml > > though the first also has a valid codepoint. > > Among domains with at least one valid DNSKEY at least two have > additional keys with out of range codepoints, that were either not > checked by the parent, or added after the initial DS enrolment: > > domain | alg | flags | inception > --------------------+-----+-------+------------ > <aaaaa>.eu | 157 | 0 | <predates survey> > <aaaaa>.eu | 7 | 256 | -"- > <aaaaa>.eu | 7 | 257 | -"- > <bbbbbbbbbbbbb>.net | 7 | 256 | -"- > <bbbbbbbbbbbbb>.net | 7 | 257 | -"- > <bbbbbbbbbbbbb>.net | 165 | 512 | 2019-02-23 > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations