On 23:08 14/10, Viktor Dukhovni wrote: > On Tue, Oct 14, 2025 at 11:09:59AM +0200, Peter Thomassen via dns-operations > wrote: > > > Section 6.1: > > > > 2. Parents, independently of their preference for CDS or CDNSKEY, > > SHOULD require publication of both RRsets, and SHOULD NOT proceed > > with updating the DS RRset if one is found missing or > > inconsistent with the other. > > > > While this at first glance indeed may seem like a not-so-good idea, > > there are some arguments why the alternative may be an even worse > > idea. An analysis of the problem is given in Section 6.2, which for > > convenience I'm pasting below. > > > > It would be extremely helpful to learn what's the view of DNSOP > > participants on this matter, so you are invited :-) > > > > Several notes: > > > > a) The draft is only for new deployments of DS automation; it is not > > trying to create work for existing ones. > > > > b) The previous recommendation tells children to publish both; this > > one is about the parent-side enforcement. > > > > c) A misconception (to be clarified in the draft): the above does not > > prevent the parent from choosing a digest type that's not in CDS. It > > requires only that both RRsets exist and refer to the same keys, not > > that the parent uses the exact digest types for the DS RRset. > > My instinct is that the proposed requirements are needlessly strong, if > a child publishes CDNSKEY, there is nothing to be gained by the parent > also *mandating* corresponding CDS records. Yes, the child SHOULD > publish both, just in case the parent only supports CDS, but since > parents are expedcted to process both when both are published, until > and unless CDNSKEY is deprecated, I don't see a need to publish both. > > If a child zone wants to enable CDS as a sanity check, fine, but, if > not, CDNSKEY should I think suffice. >
I agree with Viktor. There are currently registries that only accept DNSKEY from their children. In those cases, a child could just publish CDNSKEY and it makes no sense to require both parent and child to check CDS existance. It's a new requirement that doesn't exist in the current "out-of-band" protocol. Hugo _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
