You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ICANN TLD owners can claim their names on Handshake following the reserved name-claim process. However, TXT records are prohibited in the apex of a TLD zone, so those users will have to use the bns-prove tool to create the DNSSEC proof outside the legacy DNS. The tool currently requires direct access to the ZSK and KSK:
The private keys themselves must be stored in BIND’s private key format (v1.3) and naming convention.
This poses a problem to TLD owners who use secure hardware to sign DNSSEC messages.
One solution could be adding two additional functions to bns-prove:
Format the claim TXT record in such a way that HSMs can sign it. This may be unnecessary since the HSM operator likely already has a process in place for signing DNS records with the machine. Formatting the TXT signing request with PKCS11 may refine this process.
Combine the signed TXT as returned by the HSM into the root of the DNSSEC proof so the Handshake claim transaction can be completed and submitted to the network.
The text was updated successfully, but these errors were encountered:
ICANN TLD owners can claim their names on Handshake following the reserved name-claim process. However, TXT records are prohibited in the apex of a TLD zone, so those users will have to use the
bns-provetool to create the DNSSEC proof outside the legacy DNS. The tool currently requires direct access to the ZSK and KSK:From https://hsd-dev.org/guides/claims.html:
This poses a problem to TLD owners who use secure hardware to sign DNSSEC messages.
One solution could be adding two additional functions to
bns-prove:Format the claim TXT record in such a way that HSMs can sign it. This may be unnecessary since the HSM operator likely already has a process in place for signing DNS records with the machine. Formatting the TXT signing request with PKCS11 may refine this process.
Combine the signed TXT as returned by the HSM into the root of the DNSSEC proof so the Handshake claim transaction can be completed and submitted to the network.
The text was updated successfully, but these errors were encountered: