Mike Bishop has entered the following ballot position for draft-ietf-dnsop-cds-consistency-09: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Retaining my previous points here, since I think some text or an informative reference would be helpful, but the fact that they're understood and being considered in a related draft is enough to clear the DISCUSS. Thank you! ==== In Section 3.2, we see the following text: > CSYNC-based updates may cause validation or even insecure resolution to break (e.g., by changing the delegation to a set of nameservers that do not serve required DNSKEY records or do not know the zone at all). Parental Agents SHOULD check that CSYNC-based updates, if applied, do not break the delegation. Is there a definition of how the Parental Agent "check[s] that ... updates ... do not break the delegation"? I would have expected a more concrete instruction here, such as repeating the same queries on the proposed delegation targets and ensuring that they, too, return records consistent with what was found on the existing nameservers. Perhaps this already exists somewhere and a reference is sufficient? >From discussion, it appears that Section 2.2.1 of draft-ietf-dnsop-ds-automation addresses this in more detail. I think what we ultimately want is something like "SHOULD synthesize the new NS, DS, and other records which would be applied if the update were accepted, then verify the existence and valid signature of the DNSKEY record on each nameserver referenced by an NS record in the new set." _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
