Hi Peter, I look forward to the updated draft. Thanks.
> On May 21, 2026, at 9:54 AM, Peter Thomassen <[email protected]> wrote: > > Hi Mahesh, > > Just a small heads-up: > > On 5/21/26 14:19, Peter Thomassen wrote: >>> - Authentication compromise: If an attacker gains control of child >>> zone signing keys or nameservers, automated DS updates become an >>> attack vector. The checks in Section 4.1 partially mitigate this, >>> but the residual risk is not articulated. >> Also a good point. Same as above, I will post proposed text in Deb's review >> thread. > > I had missed the word "zone" in "child zone signing keys". The concern only > applies to SEP keys (that is, KSK or CSK), as this is the key that needs to > sign CDS/CDNSKEY RRsets (see RFC 7344 Section 4.1). I'll phrase the security > consideration accordingly. > > Best, > Peter Mahesh Jethanandani [email protected]
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
