The intent of the document at bootstrap is for the parent to perform sufficient 
tests to ensure they are conformable in bootstrapping the chain of trust, I 
agree with you that these tests and other could be performed by the parent to 
ensure the child/DNS Operator is "well behaved" and/or has "good DNSSEC 

I think defining the criteria for good DNSSEC hygiene is not in scope for this 
document, but this document could certainly reference something like
  with your details in section 8 "DNSSEC Requirements".

Also, I'm thinking at registration time to check immediately if the newly 
domain is suitable for DNSSEC bootstrapping, meaning the domain has a proper 
CDS or CDNSKEY and has good hygiene and all, so that when we publish the zone 
file with that new domain the DS record is included right away.  Any issues 
with that?


-----Original Message-----
From: DNSOP <> On Behalf Of Viktor Dukhovni
Sent: May 15, 2018 4:11 PM
To: dnsop <>
Subject: Re: [DNSOP] Acceptance processing in 
draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

> On May 15, 2018, at 3:57 PM, John Levine <> wrote:
> I think it's a swell idea to offer people DNSSEC testing services but
> it's hopeless to conflate it with key rotation.

I completely agree with you on key rotation, once the zone has already
been operating signed.  But the document also covers enrollment:

   This document describes a simple protocol that allows a third party
   DNS operator to: establish the initial chain of trust (bootstrap
   DNSSEC) for a delegation; update DS records for a delegation; and,
   remove DS records from a secure delegation.  The DNS operator may do
   these things in a trusted manner, without involving the Registrant
   for each operation.  This same protocol can be used by Registrants to
   maintain their own domains if they wish.

It is at the time of initial enrollment that I'd like to propose greater
due diligence.


DNSOP mailing list

DNSOP mailing list

Reply via email to