On 2020/01/22 17:13, Tony Finch wrote: > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I think I have heard that .de is one. > Looking at OpenSRS as an example of a registrar that supports lots of > TLDs, I see that they don't support DNSSEC for .de > http://opensrs.help/chart and their API only supports DS records > https://domains.opensrs.guide/docs/set_dnssec_info > > Also, I am uncomfortable with the endianness of their support domain names... > > Tony. >
I'm not sure whether any *registries* require DNSKEY vs DS, but I am
familiar with differences among *registrars* via direct and recent (on
the order of hours and days) experience with updating DS records for
COM, NET, ORG, ARPA, and EDU.
COM via GKG: DS
NET via GKG: DS
NET via gandi: DNSKEY
ORG via GKG: DS
ORG via gandi: DNSKEY
ARPA via ARIN: DS
EDU via EDUCAUSE: DS
The only evidence I observed/recall that a registrar attempted to
validate the supplied parameters is that GKG warned upon submission
before accepting and allowed override.
--
John W. O'Brien
OpenPGP keys:
0x33C4D64B895DBF3B
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
