Re: [dns-operations] any registries require DNSKEY not DS?

On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote: > ... > > If the parent makes the DS for me from my DNSKEY, well, then the DS > suddently "feels" like it belongs more to the parent than the child, > but this is starting to get into the "I no longer know why I believe > what I believ

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote: > > On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 12:12:15AM +, Tony Finch wrote: > By default dnssec-cds copies CDS records to make DS records, and the > question of SHA-256 or something else only arose when it was asked to turn > CDNSKEY records into DS records. But if the CDS records are generated by > some ancient

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? In answer to the converse question, at least some regi

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 7:12 PM Tony Finch wrote: > > Warren Kumari wrote: > > > > I believe that at least SIDN used to (and perhaps still does) - this > > was one of the reasons that the CDS record is actually CDS/CDNSKEY. > > > > When I first heard this I was confused as to why they'd do this -

Re: [dns-operations] any registries require DNSKEY not DS?

Warren Kumari wrote: > > I believe that at least SIDN used to (and perhaps still does) - this > was one of the reasons that the CDS record is actually CDS/CDNSKEY. > > When I first heard this I was confused as to why they'd do this -- but > then Antoin Verschuren / Cristian explained that they'd l

Re: [dns-operations] any registries require DNSKEY not DS?

On 22/01/2020 17:53, Warren Kumari wrote: > When I first heard this I was confused as to why they'd do this -- but > then Antoin Verschuren / Cristian explained that they'd like to make > sure that a good hash is being used, and suddenly I started wondering > why this isn't the default...:-) The I

Re: [dns-operations] any registries require DNSKEY not DS?

Not exactly what you asked, but a registrar example: Openprovider requires registrant to provide the DNSKEY, not DS, to activate and manage DNSSEC. Rubens > On 22 Jan 2020, at 19:13, Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and

Re: [dns-operations] any registries require DNSKEY not DS?

I think .ru/.рф were requiring DNSKEY together with DS to publish the DS. Or maybe the registrars were performing additional checks if the DS correspond to DNSKEY. -- Sergey > On 22 Jan 2020, at 23:13, Tony Finch wrote: > > Are there any registries that configure secure delegations from DNS

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I think I have heard that .de is one. this is correct.

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 5:26 PM Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I believe that at least SIDN used to (and perhaps still does)

Re: [dns-operations] any registries require DNSKEY not DS?

On 22/01/2020 17:13, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I think I have heard that .de is one. CA (IIRC they require both the key and

[dns-operations] any registries require DNSKEY not DS?

Are there any registries that configure secure delegations from DNSKEY records (and do their own conversion to DS records) rather than accepting DS records from the registrant? I think I have heard that .de is one. Looking at OpenSRS as an example of a registrar that supports lots of TLDs, I see th

Re: [dns-operations] DNS of Turk Telekom

--- Begin Message --- Nope. The information is sparse. But I guess something like BGP is involved!? Anyone has more detailed concrete information about this "DNS attack"? https://www.itnews.com.au/news/turk-telekom-says-internet-access-restored-after-cyber-attack-536767

Re: [dns-operations] EDNS Client Subnet (ECS) in queries sent to Google Public DNS

--- Begin Message --- Florian Weimer writes: > How would a DoH client know that the recursive resolver is "forbidden > to forward" ECS data? Dave Lawrence replies: > It doesn't know clearly. All it knows is that if it gets REFUSED when > it sends a prefix outside its own address space, then some