On Wed, Jan 22, 2020 at 09:06:21PM -0500, Viktor Dukhovni wrote: > On Wed, Jan 22, 2020 at 10:13:40PM +0000, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the registrant? > > In answer to the converse question, at least some registries appear to > allow (or have allowed in the past) DS RRs with unverified content: > > domain | alg | digest type > -------------------------+-----+------------ > <aaaaaaa>.go.leg.br | 8 | 0 > <aaaaaaa>.go.leg.br | 8 | 1 > <bbbbbbbbbbbb>.pr.leg.br | 8 | 0 > <cccccc>.sp.leg.br | 8 | 0
Just as a matter of clarification, those fourth level "grandchild" delegations are beyond the registry control. The third level ones are totally correct. Fred _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
