Today, OVH support answered my ticket:
I inform you that sometimes the registry allow multiple algo but we did not implement it yet.
Specifically I inform you that there is no time frame to implement the algo 13 for .top domain
[…]
So if you want to enable the DNSSEC please contact your DNS provider and inform them that you need the DS key for the algo 5 and that is supported.
OVH is indeed slow to adopt new standards.
What are my options here? transfer my .top domain somewhere else?
That’s a very bad response from OVH, the change in their backend should be a very small change (like changing a ‘allowed algorithms’ parameter). But they shift the burden of actually changing the DNS algorithm on the nameserver part, which is a total no-go for large DNS providers.
Appearantly they had DNSSEC issues before with some TLD’s, e.g. DNSSEC and .IT extension not supported by OVH - Domaines et Hébergements - OVHcloud Community, but a notice about .it was removed last week from the documentation.
Since the best thing would be if OVH would just fix this, you could:
.it issue if .it now really has DNSSEC (linking to the removal of the notice about .it) (I cannot comment as non OVH customer)..top in https://community.ovhcloud.com.top DNSSEC limitations that OVH imposes on the DNSSEC documentation.Or vote with where you pay for services, like someone else other than OVH.
That’s actually funny, as no implementation is required. All the registrar (OVH) has to do is forwarding to the (.top) registry whatever the domain owner has entered in the form. The limitation is in fact artificial.
Not only does that unnecessarily shift the burden to the DNS operator – also, algorithm 5 actually has been forbidden for production use for a while: it is denoted “MUST NOT” in the “Use for DNSSEC Signing” column of Domain Name System Security (DNSSEC) Algorithm Numbers.
So, what they are asking is that DNS operators violate RFC standards because of an artificial limitation on the OVH side.
Interestingly, by not accepting completely fine DS records, OVH is in violation of their Registrar Accreditation Agreement (RAA) with ICANN, which says:
Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: Domain Name System Security (DNSSEC) Algorithm Numbers and DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms.
If .top indeed did not support algorithm 13, then (even according to the RAA) OVH would be justified to reject such DS records – but in fact there’s a large number of .top domains hosted at deSEC and elsewhere that actually do have algorithm 13 DS records.
You could try pointing out to OVH that they’re in violation of the ICANN contract, and see if that makes a difference for them. However, I doubt they’ll be amenable.
As a last resort, it would probably be best to change registrars.
deSEC is currently compiling registrars that violate the RAA, and is planning to file a compliance complaint with ICANN once we’ve collected enough for the complaint to have noticeable impact.
Stay secure,
Peter
PS: Note that the RAA does not apply to country-code TLDs (like .it) – but .top is a gTLD, where the RAA defines the relevant requirements.