Hi, I thought it would be good to start a thread about CDS or CDNSKEY, given the recent discussion on dnssec-deployment.
CDS is a nice proposal for automating the the delegation signer information at the parent and is able to deal with all possible rollover scenarios. It's drawback however is that it cannot be used by registries that require the delegation signer information to submitted as DNSKEY. There are two straight-forward solutions for this, imo: 1. New RRtype: CDNSKEY Which is similar to CDS except it publishes the DNSKEY RDATA elements of the to be DS RRset. A parental agent that calculates the DS itself would poll for the CDNSKEY RRset. 2. Adjust the CDS RR format The CDS RDATA is equal to the DNSKEY RDATA plus one RDATA element for what (preferred) hash is to be used. The first solution has some minor drawbacks: * It requires a new RRtype for something that can also be done within an existing RRtype (CDS after changing the format). * For the child signer system it would need an additional configuration knob to decide whether to publish CDS or CDNSKEY. Adjusting the CDS RR format makes the CDS proposal compliant with both 'requiring DS' and 'requiring DNSKEY' registries. Best regards, Matthijs _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
