In message <[email protected]>, tlhackque writes: > In the other discussions were comments on IDs that became RFCs 7344 and > 7477. 7344 defines a "pull" model for hoisting DS records from the > child domain into the parent, secured by DNSSEC. BIND and Net::DNS have > support for the CDS and CDNSKEY record types. I haven't heard of any > registrar implementing this as yet. I also haven't heard of any further > work on "triggering mechanisms" for 7344 (6.1.2). News on either front > would be welcome.
Named doesn't yet sign CDS and CDNSKEY RRsets correctly. The signing model for CDS and CDNSKEY is not that of regular RRsets. The signing model is that of a DNSKEY record with a matching DS record. Signers need to special case CDS and CDNSKEY. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
