--- Begin Message ---
Hi,
Thank you both of you for your feedback.
Just a heads-up: It seems like consensus (also in DNSOP) is to remove
recommendation, so I've done so in the current revision. For details, see
https://mailarchive.ietf.org/arch/msg/dnsop/95p3c_nPddmSFVskOuxL7Z5kWfU/.
If you have any other feedback on the questions listed in that message, please
respond on DNSOP. Thanks!
Best,
Peter
On 10/15/25 02:34, Hugo Salgado wrote:
On 23:08 14/10, Viktor Dukhovni wrote:
On Tue, Oct 14, 2025 at 11:09:59AM +0200, Peter Thomassen via dns-operations
wrote:
Section 6.1:
2. Parents, independently of their preference for CDS or CDNSKEY,
SHOULD require publication of both RRsets, and SHOULD NOT proceed
with updating the DS RRset if one is found missing or
inconsistent with the other.
While this at first glance indeed may seem like a not-so-good idea,
there are some arguments why the alternative may be an even worse
idea. An analysis of the problem is given in Section 6.2, which for
convenience I'm pasting below.
It would be extremely helpful to learn what's the view of DNSOP
participants on this matter, so you are invited :-)
Several notes:
a) The draft is only for new deployments of DS automation; it is not
trying to create work for existing ones.
b) The previous recommendation tells children to publish both; this
one is about the parent-side enforcement.
c) A misconception (to be clarified in the draft): the above does not
prevent the parent from choosing a digest type that's not in CDS. It
requires only that both RRsets exist and refer to the same keys, not
that the parent uses the exact digest types for the DS RRset.
My instinct is that the proposed requirements are needlessly strong, if
a child publishes CDNSKEY, there is nothing to be gained by the parent
also *mandating* corresponding CDS records. Yes, the child SHOULD
publish both, just in case the parent only supports CDS, but since
parents are expedcted to process both when both are published, until
and unless CDNSKEY is deprecated, I don't see a need to publish both.
If a child zone wants to enable CDS as a sanity check, fine, but, if
not, CDNSKEY should I think suffice.
I agree with Viktor. There are currently registries that only accept
DNSKEY from their children. In those cases, a child could just publish
CDNSKEY and it makes no sense to require both parent and child to check
CDS existance. It's a new requirement that doesn't exist in the current
"out-of-band" protocol.
Hugo
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
