> That is certainly relevant to rollover, but it doesn't specify any means > by which the new DS records can be placed in the parent zone.
You're correct, there's no mechanism for doing this within the DNS. You need to update DS records through your registrar just as you do with NS records and glue. I hear there's an effort under way to develop an in-protocol mechanism for DS tracking, but I don't know how far along it is. > The mechanism that occurs to me is to have a new RRtype, say "CDS", with > identical format to the DS record, but placed in the child zone ( and > signed by the child zone). You've got a chicken-egg problem there: How does the parent know it should trust the key that signed the CDS? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
