Hello Peter!
On 08/07/2025 00:30, Peter Thomassen wrote:
Thank you for raising this point in the original post of this thread!
Indeed, this aspect was underspecified.
It looks like the approach described by Oli is considered reasonable,
so I've added words along those lines to the draft:
NEW
In order to determine plausible consistency of CDS/CDNSKEY or CSYNC
RRsets across the child's nameservers, the Parental Agent MUST fetch
all IP addresses for each nameserver hostname as listed in the
Child's delegation from the Parent, using a validating resolver at
one vantage point, and including glue records if available. Before
acting on any CDS/CDNSKEY or CSYNC record for the child, the Parental
Agent MUST have established plausible consistency by querying all of
these IP addresses for the record set(s) in question, as per the
guidelines spelled in the following subsections.
Glad you insisted on this, better late than never! :-)
Thanks for this clarification, I think it would really help making
different implementations of this standard interoperable.
I would just like to reiterate one more comment I have regarding this draft:
The appendix A.1. describes an impossible failure scenario, considering
that Section 6.2 of RFC 7344 says that:
> The Parental Agent MUST ensure that previous versions of the CDS/
> CDNSKEY RRset do not overwrite more recent versions.
With this MUST in place, the scenario described in A.1. just cannot
happen. It is not a big deal, but seeing it written like this is
implying that this risk was not considered when writing RFC 7344, which
is not the case.
--
Best regards,
Ondřej Caletka
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
