Hi Med, Donald, Roman,
On 5/19/26 09:36, [email protected] wrote:
As below, I consider my comments to have been resolved except for
my one comment that in Section 7.2, poiny 1, to replace "SHOULD"
with "MUST".
I tend to agree with Donald suggestion. That channel is needed for
resilient/robust maintenance operations.
OK, I've applied this change.
I've used this opportunity to also address Roman's review [1], who rightly
pointed out that the -07 text does not mandate anything (because everything was
SHOULD), so any behavior would be compliant by the letter.
Indeed, there are some defining features of DS automation without which one
doesn't really have an implementation. I've scanned the document for those, and
elevated them from SHOULD to MUST. I believe that this is in effect a no-op
change, as claiming conformance with this RFC without these would amount to
some degree of trickery ;-)
The elevated requirements are (none of those are new themselves):
A.1.1: Verifying consistency across authoritative nameservers and between
CDS/CDNSKEY RRsets (already mandatory via RFC 9975 [in auth48]), and not
breaking validation when deploying a new DS RRset
A.3.1: Not suspending DS automation based on a registrar update lock alone
(remains possible for other reasons)
A.3.2: If registry is doing DS automation: not suspending DS automation based
on a registry update lock alone (remains possible for other reasons)
A.4.1: Keep some other channel for fixing DS RRsets (if child lost ability to
publish CDS/CDNSKEY)
A.4.3: When executing an automatic CDS/CDNSKEY "DS-delete" request, do not stop
automation afterwards (but remain open to re-initialization)
I've also clarified in Section 3 that conformance with this document requires
to actually implement DS bootstrapping + updates under the implementation
guidance of that document.
I'll push a new version briefly; meanwhile, changes can be viewed at [2].
Best,
Peter
[1]: https://mailarchive.ietf.org/arch/msg/dnsop/4CYrv_D3GOAgdWlt6kpVAzmY9co/
[2]:
https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/3174ba4b8f0a5eb217087b8531c6b0b24414f8e5
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
