On Mon, 25 Feb 2013, Olafur Gudmundsson wrote:
You have to be more strict then just "validation succeeds". You MUST
ensure the proper DNSKEY's matching the CDS records exist on ALL
secondary servers, and must wait AT LEAST a TTL time before being
willing to update the DS record.
New version says:
If present the Parental Agent MUST validate [<xref
target="RFC4035"></xref>] the CDS RRset. If the validation succeeds
with a DNSKEY that is represented in the current DS RRset in
parent.
Hope that is strong enough
I'm not sure. I don't see RFC 4035 talking about what a recursor should
do when it needs to find DNSKEY x1 and it contacts a (random) child name
server and x1 is not there. Is that a bogus response, or will it try the
other child name servers in an attempt to find the x1 DNSKEY?
I think for a name server to roll its DS for the child, it should really
ensure the CDS records point to DNSKEYs that have been available in the
child zone for TTL(DNSKEY) time on _all_ child zone name servers.
This might be different from the "regular" policy of DNSSEC capable
resolvers.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
