Dear DNSOP,
FYI, this revision is a response to IESG review where it was pointed out that
the document is toothless because conformance with -07 requires nothing. To say
that one implements this document should mean something (but of course
implementation overall remains a choice).
To address the concern, I've scanned the document for defining aspects of full
DS automation, and elevated the obvious ones from SHOULD to MUST. I think this
was an omission due to the notion that implementation overall is not mandatory.
Other implementations remain possible (such as, applying CDS/CDNSKEY updates
without properly validating them); it's only that while earlier one could claim
compliance with the draft (as it was SHOULD), one cannot do so now.
For a list of changes and further explanations see my response to Donald
Eastlake who had originally raised this:
https://mailarchive.ietf.org/arch/msg/dnsop/fKCJftrUql1Jtatp_l0rvXpjSdo/
Thanks,
Peter
On 5/19/26 13:04, [email protected] wrote:
Internet-Draft draft-ietf-dnsop-ds-automation-08.txt is now available. It is a
work item of the Domain Name System Operations (DNSOP) WG of the IETF.
Title: Operational Recommendations for DNSSEC Delegation Signer (DS)
Automation
Authors: Steve Sheng
Peter Thomassen
Name: draft-ietf-dnsop-ds-automation-08.txt
Pages: 26
Dates: 2026-05-19
Abstract:
Enabling support for automatic acceptance of DNSSEC Delegation Signer
(DS) parameters from the Child DNS operator (via RFCs 7344, 8078,
9615) requires the parental agent, often a registry or registrar, to
make a number of technical decisions around acceptance checks, error
and success reporting, and multi-party issues such as concurrent
updates. This document describes recommendations about how these
points are best addressed in practice.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-ds-automation/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-ds-automation-08.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ds-automation-08
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
