Dear DNSOP, As discussed in https://mailarchive.ietf.org/arch/msg/dnsop/nQQsixIT5cXFukBq4Ky67mCniAk/, I wrote a short I-D to update RFC 7344 such that CDS/CDNSKEY consistency is mandatory across authoritative nameservers. The result is below.
Looking forward to your feedback. Cheers, Peter -------- Forwarded Message -------- Subject: New Version Notification for draft-thomassen-dnsop-cds-consistency-00.txt Date: Sat, 09 Jul 2022 04:36:46 -0700 From: internet-dra...@ietf.org To: Peter Thomassen <pe...@desec.io> A new version of I-D, draft-thomassen-dnsop-cds-consistency-00.txt has been successfully submitted by Peter Thomassen and posted to the IETF repository. Name: draft-thomassen-dnsop-cds-consistency Revision: 00 Title: Ensuring CDS/CDNSKEY Consistency is Mandatory Document date: 2022-07-09 Group: Individual Submission Pages: 5 URL: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-00.txt Status: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-cds-consistency/ Html: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-cds-consistency Abstract: For maintaining DNSSEC Delegation Trust, DS records have to be kept up to date. [RFC7344] automates this by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Parent-side entities (e.g. Registries, Registrars) can use these records to update the delegation's DS records. A common method for detecting changes in CDS/CDNSKEY record sets is to query them periodically from the child zone ("polling"), as described in Section 6.1 of [RFC7344]. This document specifies that if polling is used, parent-side entities MUST ensure that CDS/CDNSKEY record sets are equivalent across all of the child's authoritative nameservers, before taking any action based on these records.
The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop