How ENS-integration makes DNSSEC redundant


#1

Is there more to this claim than the DNS registry simply signing the ENS record with its public key?

I understand how this would verify the integrity of the record foo.com, but I don’t see how this would verify the integrity of bar.foo.com. I suppose in the record for foo.com it would say which public key is permitted to create the records *.foo.com, and then the record bar.foo.com is signed with some key, and then we only accept the domain bar.foo.com if everything matches all the way up?


#2

Hi Virgil!
From what I gather it is very much like what you outline. DNSSEC provides Delegation Signer (DS) records for parent domains which can be used to verify a DNSKEY record in a subdomain, which can then contain other DS records to verify further subdomains. These can be checked recursively up to the parent domain if needed. Would ENS check the DS and DNSKEY records at the DNS root?