I'm working on tools for KSK rollover automation at the moment. It turns out that CDS records are very useful even if your parent zone doesn't check them.
KSK rolls work better when the DS records are not simply generated from the current DNSKEY RRset. You need to be a bit more clever if you want to minimize interactions with the parent zone, or minimize the DNSKEY RRset size, or do an algorithm rollover. So your tool for setting DS records needs some way to ask the key store what DS records should be. The nice thing about CDS records is that they provide a standard way to do this, independent of the key store or signing software. This allows registrar API clients to be decoupled from the DNSSEC implementation. This makes me wonder how well this observation generalizes to multi-provider DNSSEC. In model 1, the zone owner manages the KSK, so all the CDS/DS logic remains centralized. In model 2, each DNS provider has its own KSK, and does its own DNSKEY RRset management. In order to support CDS/CDNSKEY, I think it is necessary for each provider to (somehow) generate RRsets that are the union of their CDS/CDNSKEY RRsets and the other provider's. In normal cases, I think the "somehow" involves getting the other provider's RRset, replacing any records corresponding to this provider's keys with what this provider thinks they should be, and retaining any records for unknown keys (which presumably belong to the other provider). There's a mildly awkward risk of zombie records that are copied back and forth despite neither provider knowing about them, but I suppose that can be fixed manually if it arises. Or maybe it's simpler if this is done via an API, like ZSK sharing :-) Algorithm rollovers are more difficult, because loose consistency will not work: a new algorithm needs to be introduced into the DS RRset for all providers at the same time, and same for removing an old algorithm. In any case, a zone owner will have to co-ordinate an algorithm rollover between the providers, so it isn't a big problem that CDS records can't help. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fitzroy: Northerly or northwesterly 7 to severe gale 9, decreasing 6 at times later. Very high at first in south, otherwise high, becoming very rough later. Showers, thundery in south. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
