Hi Paul,
We addressed the last open issue (see below) and submitted a new revision (-10).
Thanks for the helpful discussion, I feel it's made the draft better!
On 5/18/24 03:23, Peter Thomassen wrote:
OLD
CDS/CDNSKEY records and corresponding signaling records MUST NOT be
published without the zone owner's consent. Likewise, the child DNS
operator MUST enable the zone owner to signal the desire to turn off
DNSSEC by publication of the special-value CDS/CDNSKEY RRset
specified in [RFC8078] Section 4. To facilitate transitions between
DNS operators, child DNS operators SHOULD support the multi-signer
protocols described in [RFC8901].
NEW
It is possible to add CDS/CDNSKEY records and corresponding signaling
records to a zone without explicit knowledge of the domain owner. To
spare domain owners from being caught off guard by state changes
induced by this practice, Child DNS operators doing so are advised to
make this transparent.
Maybe add: ", for example by notifying the domain owner via email".
Mmh, I find this quite prescriptive ("a priming example"). It could also be
done as an info box when you create the zone (perhaps you can untick a box to disable),
or as an advertised feature when you book the plan. Those approaches seem favorable,
because they are ahead of time (before it actually happens), while a notification is
after the fact.
Now, I'm not sure whether we should go into elaborating on all of this; but *if* we say
something, I feel we should mention one of the "ahead-of-time" ways. I'd be
curious to know what you think of this.
NEW
It is possible to add CDS/CDNSKEY records and corresponding signaling
records to a zone without the domain owner's explicit knowledge. To
spare domain owners from being caught off guard by the ensuing DS
changes, child DNS operators following this practice are advised to
make that transparent, such as by informing the domain owner during
zone creation (e.g., in a GUI), or by notifying them via email.
Thanks,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org