Progress update on DNSSEC integration


Makoto and I spent most of this week working on DNS integration. I thought I’d give a brief progress update here:

  • We’ve implemented support for the SHA1 digest and RSASHA1 algorithm, so domains signed with older algorithms can be verified. I haven’t yet deployed these new algorithms on Ropsten.
  • We’ve made some minor changes to how TTLs and signature fields are handled, in response to feedback received at IETF 101.
  • We’ve started working on support for the NSEC record (which lets you delete a domain if you can prove it doesn’t exist). Once that’s done we’ll work on NSEC3 (the hashed version of same).
  • We’ve identified a Javascript DNS library that should be suitable for implementing a web-based version of the dnsprove utility, to make proving ownership of a DNS domain far simpler than it is at present. It will need some updates, but is actively maintained, so it should not be an issue, hopefully.