On 2018-12-06 15:59 -0500, Viktor Dukhovni wrote:> To prevent crappy DS
records, the registrar or registry would need
to check that the zone contains a matching key (matching key tag
and hash value) before publishing the DS record.
That would then prohibit prepublishing the DS record in advance of the
DNSKEY one as it happens for some scenarios ("standby" key for
emergencies for example).
See https://tools.ietf.org/html/rfc7583#section-3.3.2
DNSSEC data through EPP can be also done during the domain:create at
which point obviously the domain name does not resolve yet and hence
there are no DNSKEY to check, but you may still want to publish a DS
record in advance.
See https://datatracker.ietf.org/doc/html/rfc4310#section-3.2.1
IIRC some registrars don't support direct input of DS records,
rather they accept DNSKEY RRs, and compute the DS.
Some registries also allow only DNSKEY and deal with DS records themselves.
Some others ask registrars to send DNSKEY + DS, probably in order to
double check the DS was computed correctly.
--
Patrick Mevzek
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
