Hi Mahesh,
Just a small heads-up:
On 5/21/26 14:19, Peter Thomassen wrote:
- Authentication compromise: If an attacker gains control of child
zone signing keys or nameservers, automated DS updates become an
attack vector. The checks in Section 4.1 partially mitigate this,
but the residual risk is not articulated.
Also a good point. Same as above, I will post proposed text in Deb's review
thread.
I had missed the word "zone" in "child zone signing keys". The concern only
applies to SEP keys (that is, KSK or CSK), as this is the key that needs to sign CDS/CDNSKEY RRsets
(see RFC 7344 Section 4.1). I'll phrase the security consideration accordingly.
Best,
Peter
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
