* Simon Arlott via dns-operations: > Supposedly it is to protect registrants from bad data but it would be > trivial to simply enter the wrong numbers in the individual component DS > record web forms that everyone is fond of.
The registry signs the DS RRset with its own key. It's good practice to apply as many checks as possible when signing data supplied by untrusted parties. Having to show the DNSKEY record for a DS record makes sure the embedded hash in the DS record is genuine, which prevents all known evil twin attacks on cryptographic signature schemes. SHA-256 is not publicly known to be broken as of today, of course, but if that changes, such evil twin attacks are likely the first ones to arrive (see MD5 and SHA-1). DS data checking looks like a reasonable way to increase the safety margin. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
