Re: [dns-operations] any registries require DNSKEY not DS?

> On Apr 17, 2020, at 4:45 PM, Brian Dickson > wrote: > > > > On Fri, Apr 17, 2020 at 12:57 PM Olafur Gudmundsson > wrote: > > >> On Jan 22, 2020, at 11:16 PM, Paul Vixie > > wrote: >> >> On Thursday, 23 January 2020 02:51:28 UTC Warren

Re: [dns-operations] any registries require DNSKEY not DS?

On Friday, 17 April 2020 19:48:48 UTC Olafur Gudmundsson wrote: > > On Jan 22, 2020, at 11:16 PM, Paul Vixie wrote: > > > > ... > > > > historians please note: we should have put the DS RRset at $child._dnssec. > > $parent, so that there was no exception to the rule whereby the delegation > >

Re: [dns-operations] any registries require DNSKEY not DS?

> On 18 Apr 2020, at 08:00, Viktor Dukhovni wrote: > > On Fri, Apr 17, 2020 at 01:45:02PM -0700, Brian Dickson wrote: > >> Would the method have potentially been to have GLUEA and GLUE >> records rather than effectively overloading the A/ status >> (authoritative vs not)? >> >> And

Re: [dns-operations] any registries require DNSKEY not DS?

On Fri, Apr 17, 2020 at 01:45:02PM -0700, Brian Dickson wrote: > Would the method have potentially been to have GLUEA and GLUE > records rather than effectively overloading the A/ status > (authoritative vs not)? > > And then all of the new types that live only in the parent, could have >

Re: [dns-operations] any registries require DNSKEY not DS?

On Fri, Apr 17, 2020 at 12:57 PM Olafur Gudmundsson wrote: > > > On Jan 22, 2020, at 11:16 PM, Paul Vixie wrote: > > On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote: > > ... > > If the parent makes the DS for me from my DNSKEY, well, then the DS > suddently "feels" like it belongs

Re: [dns-operations] any registries require DNSKEY not DS?

> On Jan 22, 2020, at 11:16 PM, Paul Vixie wrote: > > On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote: >> ... >> >> If the parent makes the DS for me from my DNSKEY, well, then the DS >> suddently "feels" like it belongs more to the parent than the child, >> but this is starting

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 05:28:15PM -0500, Warren Kumari wrote: > That's fair - but that's more of a (good) argument for the parent > calculating the DS from the DNSKEY I always believed that this was the only defensible thing, given that DS is authoritative at the parent. I was in the rough.

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 11:51 PM Patrick Mevzek wrote: > On 22/01/2020 17:13, Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the registrant? I think I

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 3:39 PM Florian Weimer wrote: > > * Warren Kumari: > > > On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote: > >> > >> On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > >> > >> > Are there any registries that configure secure delegations from DNSKEY > >> >

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 11:51 PM Patrick Mevzek wrote: > > CA (IIRC they require both the key and DS, probably to double check the > DS themselves), BE and EU are some example that comes immediately to > mind. There are others. > > Indeed, for .be we expect the registrar to send us the DNSKEY

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 09:38:00PM +0100, Florian Weimer wrote: > >> In answer to the converse question, at least some registries appear to > >> allow (or have allowed in the past) DS RRs with unverified content: > > > > This actually seems OK to me -- nonsensical, but OK. > > It makes attacks

Re: [dns-operations] any registries require DNSKEY not DS?

* Warren Kumari: > On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni > wrote: >> >> On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: >> >> > Are there any registries that configure secure delegations from DNSKEY >> > records (and do their own conversion to DS records) rather than

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 09:06:21PM -0500, Viktor Dukhovni wrote: > On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records

Re: [dns-operations] any registries require DNSKEY not DS?

Thanks for all the interesting replies! The reason for the question is to do with child-side tools for updating delegations. RFC 7344 CDS/CDNSKEY records are brilliant for this because they provide a standard interface between key management / signing software and registr* API client software:

Re: [dns-operations] any registries require DNSKEY not DS?

Viktor Dukhovni wrote: > > Which is not to say that one should continue to use SHA-1 in DS RRs, > there but there is little risk in doing for the foreseable future. Right. Getting rid of SHA-1 in DS and CDS might not be cryptographically necessary [*], but it's required for protocol conformance,

Re: [dns-operations] any registries require DNSKEY not DS?

On 2020/01/22 17:13, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I think I have heard that .de is one. > Looking at OpenSRS as an example of

Re: [dns-operations] any registries require DNSKEY not DS?

--- Begin Message --- All, Yes, SIDN is still using DNSKEY for reasons stated by Antoin in the past. Regards, Marc On Wed, Jan 22, 2020 at 5:26 PM Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and do their own

Re: [dns-operations] any registries require DNSKEY not DS?

On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote: > ... > > If the parent makes the DS for me from my DNSKEY, well, then the DS > suddently "feels" like it belongs more to the parent than the child, > but this is starting to get into the "I no longer know why I believe > what I

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote: > > On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 12:12:15AM +, Tony Finch wrote: > By default dnssec-cds copies CDS records to make DS records, and the > question of SHA-256 or something else only arose when it was asked to turn > CDNSKEY records into DS records. But if the CDS records are generated by > some ancient

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? In answer to the converse question, at least some

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 7:12 PM Tony Finch wrote: > > Warren Kumari wrote: > > > > I believe that at least SIDN used to (and perhaps still does) - this > > was one of the reasons that the CDS record is actually CDS/CDNSKEY. > > > > When I first heard this I was confused as to why they'd do this

Re: [dns-operations] any registries require DNSKEY not DS?

Warren Kumari wrote: > > I believe that at least SIDN used to (and perhaps still does) - this > was one of the reasons that the CDS record is actually CDS/CDNSKEY. > > When I first heard this I was confused as to why they'd do this -- but > then Antoin Verschuren / Cristian explained that they'd

Re: [dns-operations] any registries require DNSKEY not DS?

On 22/01/2020 17:53, Warren Kumari wrote: > When I first heard this I was confused as to why they'd do this -- but > then Antoin Verschuren / Cristian explained that they'd like to make > sure that a good hash is being used, and suddenly I started wondering > why this isn't the default...:-) The

Re: [dns-operations] any registries require DNSKEY not DS?

Not exactly what you asked, but a registrar example: Openprovider requires registrant to provide the DNSKEY, not DS, to activate and manage DNSSEC. Rubens > On 22 Jan 2020, at 19:13, Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and

Re: [dns-operations] any registries require DNSKEY not DS?

I think .ru/.рф were requiring DNSKEY together with DS to publish the DS. Or maybe the registrars were performing additional checks if the DS correspond to DNSKEY. -- Sergey > On 22 Jan 2020, at 23:13, Tony Finch wrote: > > Are there any registries that configure secure delegations from

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I think I have heard that .de is one. this is correct.

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 5:26 PM Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I believe that at least SIDN used to (and perhaps still does)