dnssec-policy - KSK rollover

Mark Elkins mark at posix.co.za
Thu Nov 24 12:44:09 UTC 2022 

OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance

There are two interesting paragraphs.....

_/5.  CDS/CDNSKEY Publication/_/
//
//   The Child DNS Operator publishes CDS/CDNSKEY RRset(s).  In order to//
//   be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the rules//
//   in Section 4.1. *When the Parent DS is in sync with the CDS/CDNSKEY*/*/
/**/   RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY 
RRset(s);/*/
//   the Child can determine if this is the case by querying for DS//
//   records in the Parent./



_/6.1.1.  CDS/CDNSKEY Polling/_/
//
//   This is the only defined use of CDS/CDNSKEY resource records in this//
//   document.  There are limits to the scalability of polling techniques;//
//   thus, some other mechanism is likely to be specified later that//
//   addresses CDS/CDNSKEY resource record usage in the situation where//
//   polling runs into scaling issues.  Having said that, polling will//
//   work in many important cases such as enterprises, universities, and//
//   smaller TLDs.  In many regulatory environments, the Registry is//
//   prohibited from talking to the Registrant.  In most of these cases,//
//   the Registrant has a business relationship with the Registrar, so the//
//   Registrar can offer this as a service.//
//
//*If the CDS/CDNSKEY RRset(s) do not exist, the Parental Agent MUST*/*/
/**/   take no action.  Specifically, it MUST NOT delete or alter the/**/
/**/   existing DS RRset./*

I'm confused. There is no text describing how a Key Rollover might work. 
The Child can delete the CDS once it believed the Parent has activated 
the appropriate DS. There is no discussion on how a Parent will know to 
remove that DS record... unless it is via asking the Child for all 
existing DNSKEY records of type 257 and then recalculating the DS 
records and working out what is missing. Then we don't need CDS records 
at all - just Poll for DNSKEY records?

I think I really prefer the simplicity of mirroring the CDS's of a Child 
into the DS's on the Parent. Makes handling of Null CDS records easier.

On 2022/11/24 09:50, Matthijs Mekking wrote:
> Hi,
>
> I think this should work with some caveats.
>
>
> This is true for BIND 9, as it will publish the CDS for as long as the 
> DS should be in the parent. But it doesn't have to be the case. The 
> RFC (7344) says:
>
>    When the Parent DS is in sync with the CDS/CDNSKEY
>    RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s);
>    the Child can determine if this is the case by querying for DS
>    records in the Parent.
> -- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221124/41e66110/attachment.htm>

More information about the bind-users mailing list