The intent of the document at bootstrap is for the parent to perform sufficient tests to ensure they are conformable in bootstrapping the chain of trust, I agree with you that these tests and other could be performed by the parent to ensure the child/DNS Operator is "well behaved" and/or has "good DNSSEC hygiene".
I think defining the criteria for good DNSSEC hygiene is not in scope for this document, but this document could certainly reference something like https://tools.ietf.org/html/draft-wallstrom-dnsop-dns-delegation-requirements-03 with your details in section 8 "DNSSEC Requirements". Also, I'm thinking at registration time to check immediately if the newly domain is suitable for DNSSEC bootstrapping, meaning the domain has a proper CDS or CDNSKEY and has good hygiene and all, so that when we publish the zone file with that new domain the DS record is included right away. Any issues with that? -----Original Message----- From: DNSOP <dnsop-boun...@ietf.org> On Behalf Of Viktor Dukhovni Sent: May 15, 2018 4:11 PM To: dnsop <dnsop@ietf.org> Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4 > On May 15, 2018, at 3:57 PM, John Levine <jo...@taugh.com> wrote: > > I think it's a swell idea to offer people DNSSEC testing services but > it's hopeless to conflate it with key rotation. I completely agree with you on key rotation, once the zone has already been operating signed. But the document also covers enrollment: This document describes a simple protocol that allows a third party DNS operator to: establish the initial chain of trust (bootstrap ----------------------------------------------- DNSSEC) for a delegation; update DS records for a delegation; and, ------------------------ remove DS records from a secure delegation. The DNS operator may do these things in a trusted manner, without involving the Registrant for each operation. This same protocol can be used by Registrants to maintain their own domains if they wish. It is at the time of initial enrollment that I'd like to propose greater due diligence. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
