Hi Oli,
thank you for detailed answer!
On 24/06/2025 14:41, Oli Schacher wrote:
Our implementation first asks a validating resolver for the CDS RRSET
of each domain, so we get a first pass from a "random" authoritative
server. If this CDS RRSET already matches the current DS state, then
we abort - because even if another authoritative server would return a
different CDS RRSET it would mean the CDS RRSETs are inconsistent anyway.
If the CDS RRSET does indicate a change request to the status quo, we
fetch ALL IP addresses for each nameserver hostname (from our own
delegation data i.e. glue records if we have them) and also through a
validating resolver. Then we ask each of these IPs directly for the
CDS RRSET and compare the result to the initial answer from the resolver.
This seems to be a sensible approach. It will likely detect multi-signer
inconsistencies while not being very resource intensive.
--
Ondřej
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
