dnssec-policy - KSK rollover
Matthijs Mekking
matthijs at isc.org
Thu Nov 24 16:00:11 UTC 2022
Hi Mark,
On 24-11-2022 13:44, Mark Elkins via bind-users wrote:
> OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance
>
> There are two interesting paragraphs.....
>
> _/5. CDS/CDNSKEY Publication/_/
> //
> // The Child DNS Operator publishes CDS/CDNSKEY RRset(s). In order to//
> // be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the rules//
> // in Section 4.1. *When the Parent DS is in sync with the CDS/CDNSKEY*/*/
> /**/ RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY
> RRset(s);/*/
> // the Child can determine if this is the case by querying for DS//
> // records in the Parent./
>
>
>
> _/6.1.1. CDS/CDNSKEY Polling/_/
> //
> // This is the only defined use of CDS/CDNSKEY resource records in this//
> // document. There are limits to the scalability of polling techniques;//
> // thus, some other mechanism is likely to be specified later that//
> // addresses CDS/CDNSKEY resource record usage in the situation where//
> // polling runs into scaling issues. Having said that, polling will//
> // work in many important cases such as enterprises, universities, and//
> // smaller TLDs. In many regulatory environments, the Registry is//
> // prohibited from talking to the Registrant. In most of these cases,//
> // the Registrant has a business relationship with the Registrar, so the//
> // Registrar can offer this as a service.//
> //
> //*If the CDS/CDNSKEY RRset(s) do not exist, the Parental Agent MUST*/*/
> /**/ take no action. Specifically, it MUST NOT delete or alter the/**/
> /**/ existing DS RRset./*
>
> I'm confused. There is no text describing how a Key Rollover might work.
> The Child can delete the CDS once it believed the Parent has activated
> the appropriate DS. There is no discussion on how a Parent will know to
> remove that DS record... unless it is via asking the Child for all
> existing DNSKEY records of type 257 and then recalculating the DS
> records and working out what is missing. Then we don't need CDS records
> at all - just Poll for DNSKEY records?
Note that the child can delete the CDS **RRset** once it believes the
parent is in sync (not just a single CDS record).
The parent should remove the existing DS record if it encounters a
CDS/CDNSKEY RRset that does not have a corresponding record for the
given DS record.
The only corner case is that there is no way to signal that all DS
records must be removed from the parent (i.e. going insecure) in RFC
7344. That is defined in RFC 8078.
Hope this helps taking away your confusion.
> I think I really prefer the simplicity of mirroring the CDS's of a Child > into the DS's on the Parent. Makes handling of Null CDS records easier.
Me too :)
Best regards, Matthijs
More information about the bind-users
mailing list