> On 30 Jan 2024, at 15:05, Paul Wouters <p...@nohats.ca> wrote: > > On Tue, 30 Jan 2024, Roy Arends wrote: > >> DNSSEC is not mandatory, it is recommended. >> >> One motivation behind DELEG is the ability to use “Aliasmode” to point to an >> SVCB record elsewhere, which contains a DS record. This way, DS records in >> various top level domains can be federated under a single operator. This >> works solely if both the DELEG is signed and “elsewhere” is signed. > > I don't understand what you are saying here. Can you elaborate and maybe > include an example?
Assume these records in various top level domains at delegation points: example.com DELEG 0 a1.operator.net example.net DELEG 0 a2.operator.net example.org DELEG 0 a3.operator.net example.uk DELEG 0 a4.operator.net example.nl DELEG 0 a5.operator.net example.de DELEG 0 a6.operator.net In operator.net zone: $ORIGIN operator.net a1 SVCB . (DS="19718 13 2 8ACBB0…” ipv4hint=192.0.254.1, 192.0.254.2 ) a2 SVCB . (DS=“13284 13 2 1CBA01…” ipv4hint=192.0.254.1, 192.0.254.2 ) a3 SVCB . (DS=“60123 13 2 403832…” ipv4hint=192.0.254.1, 192.0.254.2 ) a4 SVCB . (DS=“12101 13 2 1A6692…” ipv4hint=192.0.254.1, 192.0.254.2 ) a5 SVCB . (DS=“18998 13 2 655212…” ipv4hint=192.0.254.1, 192.0.254.2 ) a6 SVCB . (DS=“34421 13 2 90ABAA…” ipv4hint=192.0.254.1, 192.0.254.2 ) This way, the “DELEG” RDATA in the top level domain for “example.$TLD” can be long-lived, administered by the registrar on behalf of the registrant. The operator can manage all the relevant configuration material in the operator.net zone. Hope this helps Warmly Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop