On Thu, Jan 23, 2020 at 12:12:15AM +, Tony Finch wrote:
> By default dnssec-cds copies CDS records to make DS records, and the
> question of SHA-256 or something else only arose when it was asked to turn
> CDNSKEY records into DS records. But if the CDS records are generated by
> some ancient
On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote:
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant?
In answer to the converse question, at least some
On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote:
>
> On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote:
>
> > Are there any registries that configure secure delegations from DNSKEY
> > records (and do their own conversion to DS records) rather than accepting
> > DS records from the
On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote:
> ...
>
> If the parent makes the DS for me from my DNSKEY, well, then the DS
> suddently "feels" like it belongs more to the parent than the child,
> but this is starting to get into the "I no longer know why I believe
> what I
--- Begin Message ---
Florian Weimer writes:
> How would a DoH client know that the recursive resolver is "forbidden
> to forward" ECS data?
Dave Lawrence replies:
> It doesn't know clearly. All it knows is that if it gets REFUSED when
> it sends a prefix outside its own address space, then
--- Begin Message ---
Nope. The information is sparse. But I guess something like BGP is involved!?
Anyone has more detailed concrete information about this "DNS attack"?
https://www.itnews.com.au/news/turk-telekom-says-internet-access-restored-after-cyber-attack-536767
Are there any registries that configure secure delegations from DNSKEY
records (and do their own conversion to DS records) rather than accepting
DS records from the registrant? I think I have heard that .de is one.
Looking at OpenSRS as an example of a registrar that supports lots of
TLDs, I see
Not exactly what you asked, but a registrar example: Openprovider requires
registrant to provide the DNSKEY, not DS, to activate and manage DNSSEC.
Rubens
> On 22 Jan 2020, at 19:13, Tony Finch wrote:
>
> Are there any registries that configure secure delegations from DNSKEY
> records (and
On Wed, Jan 22, 2020 at 5:26 PM Tony Finch wrote:
>
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant?
I believe that at least SIDN used to (and perhaps still does)
On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote:
> Are there any registries that configure secure delegations from DNSKEY
> records (and do their own conversion to DS records) rather than accepting
> DS records from the registrant? I think I have heard that .de is one.
this is correct.
I think .ru/.рф were requiring DNSKEY together with DS to publish the DS. Or
maybe the registrars were performing additional checks if the DS correspond to
DNSKEY.
--
Sergey
> On 22 Jan 2020, at 23:13, Tony Finch wrote:
>
> Are there any registries that configure secure delegations from
On 22/01/2020 17:53, Warren Kumari wrote:
> When I first heard this I was confused as to why they'd do this -- but
> then Antoin Verschuren / Cristian explained that they'd like to make
> sure that a good hash is being used, and suddenly I started wondering
> why this isn't the default...:-)
The
Warren Kumari wrote:
>
> I believe that at least SIDN used to (and perhaps still does) - this
> was one of the reasons that the CDS record is actually CDS/CDNSKEY.
>
> When I first heard this I was confused as to why they'd do this -- but
> then Antoin Verschuren / Cristian explained that they'd
On Wed, Jan 22, 2020 at 7:12 PM Tony Finch wrote:
>
> Warren Kumari wrote:
> >
> > I believe that at least SIDN used to (and perhaps still does) - this
> > was one of the reasons that the CDS record is actually CDS/CDNSKEY.
> >
> > When I first heard this I was confused as to why they'd do this
14 matches
Mail list logo