<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>OK - so I read RFC7344... <span class="h1">Automating DNSSEC
Delegation Trust Maintenance</span></p>
<p><span class="h1">There are two interesting paragraphs.....</span></p>
<p><span class="h1"><u><i>5. CDS/CDNSKEY Publication</i></u><i><br>
</i><i><br>
</i><i> The Child DNS Operator publishes CDS/CDNSKEY
RRset(s). In order to</i><i><br>
</i><i> be valid, the CDS/CDNSKEY RRset(s) MUST be compliant
with the rules</i><i><br>
</i><i> in Section 4.1. <b>When the Parent DS is in sync
with the CDS/CDNSKEY</b></i><b><i><br>
</i></b><b><i> RRset(s), the Child DNS Operator MAY delete
the CDS/CDNSKEY RRset(s);</i></b><i><br>
</i><i> the Child can determine if this is the case by
querying for DS</i><i><br>
</i><i> records in the Parent.</i><br>
<br>
<br>
<br>
<u><i>6.1.1. CDS/CDNSKEY Polling</i></u><i><br>
</i><i><br>
</i><i> This is the only defined use of CDS/CDNSKEY resource
records in this</i><i><br>
</i><i> document. There are limits to the scalability of
polling techniques;</i><i><br>
</i><i> thus, some other mechanism is likely to be specified
later that</i><i><br>
</i><i> addresses CDS/CDNSKEY resource record usage in the
situation where</i><i><br>
</i><i> polling runs into scaling issues. Having said that,
polling will</i><i><br>
</i><i> work in many important cases such as enterprises,
universities, and</i><i><br>
</i><i> smaller TLDs. In many regulatory environments, the
Registry is</i><i><br>
</i><i> prohibited from talking to the Registrant. In most of
these cases,</i><i><br>
</i><i> the Registrant has a business relationship with the
Registrar, so the</i><i><br>
</i><i> Registrar can offer this as a service.</i><i><br>
</i><i><br>
</i><i> <b>If the CDS/CDNSKEY RRset(s) do not exist, the
Parental Agent MUST</b></i><b><i><br>
</i></b><b><i> take no action. Specifically, it MUST NOT
delete or alter the</i></b><b><i><br>
</i></b><b><i> existing DS RRset.</i></b><br>
<br>
I'm confused. There is no text describing how a Key Rollover
might work. The Child can delete the CDS once it believed the
Parent has activated the appropriate DS. There is no discussion
on how a Parent will know to remove that DS record... unless it
is via asking the Child for all existing DNSKEY records of type
257 and then recalculating the DS records and working out what
is missing. Then we don't need CDS records at all - just Poll
for DNSKEY records?<br>
</span></p>
<p><span class="h1">I think I really prefer the simplicity of
mirroring the CDS's of a Child into the DS's on the Parent.
Makes handling of Null CDS records easier.<br>
</span></p>
<div class="moz-cite-prefix">On 2022/11/24 09:50, Matthijs Mekking
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e879100f-e6f6-0dbc-13f5-e64a7297e166@isc.org">Hi,
<br>
<br>
I think this should work with some caveats.
<br>
<br>
<br>
This is true for BIND 9, as it will publish the CDS for as long as
the DS should be in the parent. But it doesn't have to be the
case. The RFC (7344) says:
<br>
<br>
When the Parent DS is in sync with the CDS/CDNSKEY
<br>
RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY
RRset(s);
<br>
the Child can determine if this is the case by querying for DS
<br>
records in the Parent.
<br>
-- <br>
</blockquote>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
<br>
<br>
<br>
</p>
</div>
</body>
</html>