On Sat, Dec 14, 2013 at 04:16:08PM -0500, John wrote:
> Yes, unfortunately my .ca Registrar is not currently capable of
> handling DS or DNSKEY records so I am using the ISC dlv, It works
> for most things, but I assume from your comment that TLSA will
> require records at the .ca root. I have the same problem with the
> other two domains where Tucows is the registrar.
No, in fact there is no special magic for TLSA RRs as opposed to
other DNSSEC records. They are protected or not protected by DNSSEC
in the same way as all other records. Rather, OpenWRT on my home
router is not configured to use ISC's DLV. If some verifier is
configured to consult the ISC DLV, they may well find your TLSA
RRset to be secure and thus usable.
For what it is worth, as another data-point, the Google 8.8.8.8
recursive DNS servers also don't report "klam.ca" as being signed.
--
Viktor.
