On 6/30/25 18:33, Peter Thomassen wrote:
Sections 2.5 and 3.5 suggest that registries scan and compare both CDS and
CDNSKEY. While I agree that DNS operators should publish both and ensure they
match, I don’t think registries should be required to query both. This
increases the query load and processing without providing meaningful additional
validation. Or is there a scenario where a CDS/CDNSKEY mismatch could break
anything that is not handled by the existing validation requirements?
Of course, one can imagine all kinds of bugs. For example, in a multi-provider setup,
child-side signers have to co-publish each other's CDS/CDNSKEY records (or KSKs, and then
derive the C* stuff). Depending on how that's done and who publishes what, one can end up
with inconsistencies across the two types of RRsets. It's then certainly clear that
neither the CDS nor the CDNSKEY "half of it" represents the domain holder's
intent.
But I admit this is somewhat constructed, and only caters to the most
conservative perspective on DS updates. But, DNSSEC reputation suffers a lot
from outages caused by misconfigurations, so there's some justification for
being in the conservative camp. But not sure myself.
That said, the query / processing load is expected to change only insignificantly. Although in a
way it "doubles", that's *only* when there is a change. This is the same as with
cross-auth consistency checking: if the first query confirms the status quo, no further queries
need to be made. That is, only in the "tail of rare changes" is the load increased.
Thought experiment: If for 98% of the zones, the first query confirms "no
change", then the other 2% percent might get 2 CDS queries (on per NS), and -- with
this recommendation -- two more CDNSKEY queries. That increases the overall load of the
system by less than 2%.
... was in a rush yesterday, and had forgotten one salient point:
Establishing that both CDS/CDNSKEY are published (by requiring it for
processing) allows the parent to change their mind about whether they want to
use DS or DNSKEY format as an input. This possibility also keeps the door open
to, at some point, come to agreement which of the two formats should be used,
deprecating the other, so that eventually the CDS/CDNSKEY dichotomy could be
removed.
There's no chance of that happening when deployments ossify with only CDS or
only CDNSKEY.
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
