I have one quick question about CDS/CDNSKEY: what's the (or "an") expected operation for the parent to remove a DS RR of a child that was obsolete and is now removed from the child zone?
This point is not clear to me on a quick rescan of draft-ietf-dnsop-delegation-trust-maintainance-02. According to Section 3: The CDS / CDNSKEY record is published in the child zone and gives the child control of what is published for it in the parental zone. The CDS / CDNSKEY RRset expresses what the child would like the DS RRset to look like after the change; [...] it could read the child would remove the CDS or CDSKEY for the now-removed DNSKEY, but it may contradict Section 4.1: Absence of CDS / CDNSKEY in child signals "No change" to the current DS set. (BTW: this sentence is a bit ambiguous to me. Does this mean there's no CDS/CDNSKEY RR for the apex name, or the absence of CDS/CDNSKEY for a specific DNSKEY?) and also Section 5: When the Parent DS is "in-sync" with the CDS, the Child DNS Operator MAY delete the CDS RRset. i.e., if the child may delete a CDS for a new DNSKEY after synchronization, clearly it cannot use the removal of CDS as an indication of the removal of DNSKEY. Am I missing some part of the draft that answers my question, or is this actually out of scope of CDS/CDNSKEY? p.s. apologize in advance this was already discussed; I don't remember all previous discussions of the proposal. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
