> On May 16, 2018, at 2:38 PM, Jacques Latour <jacques.lat...@cira.ca> wrote:
> The intent of the document at bootstrap is for the parent to perform 
> sufficient tests to ensure they are conformable in bootstrapping the chain of 
> trust, I agree with you that these tests and other could be performed by the 
> parent to ensure the child/DNS Operator is "well behaved" and/or has "good 
> DNSSEC hygiene".
> I think defining the criteria for good DNSSEC hygiene is not in scope for 
> this document, but this document could certainly reference something like 
> https://tools.ietf.org/html/draft-wallstrom-dnsop-dns-delegation-requirements-03
>   with your details in section 8 "DNSSEC Requirements".
> Also, I'm thinking at registration time to check immediately if the newly 
> domain is suitable for DNSSEC bootstrapping, meaning the domain has a proper 
> CDS or CDNSKEY and has good hygiene and all, so that when we publish the zone 
> file with that new domain the DS record is included right away.  Any issues 
> with that?

I am not a stickler for the means, so long as we achieve the same ends.
That is, provided the DNSSEC hygiene is somehow taken into account at
registration time, if this document points at some other document, that
may be OK.  My concern is only that not enough of the DANE-impacting
hygiene requirements may yet be written down.

I can make a list...  Should it go in this draft, or should I work with
Patrick Wallstrom to flesh out that draft?  Will this draft reference
the other one?


DNSOP mailing list

Reply via email to