* Warren Kumari: > On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni <ietf-d...@dukhovni.org> > wrote: >> >> On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote: >> >> > Are there any registries that configure secure delegations from DNSKEY >> > records (and do their own conversion to DS records) rather than accepting >> > DS records from the registrant? >> >> In answer to the converse question, at least some registries appear to >> allow (or have allowed in the past) DS RRs with unverified content: > > > This actually seems OK to me -- nonsensical, but OK.
It makes attacks on the underlying hash function for the DS record easier. Constructing colliding prefixes is much harder if the prefix itself contains the hash over something else (because you also have to construct that something). _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
