Also not copying CDS to DS unchanged in the parent will break automatic DNSKEY rolls as children will stall waiting for the updated matching DS set to be published.
Similarly not copying RSASHA1 CDS to DS unchanged will break automatic DNSKEY rolls as children will stall waiting for the updated matching DS set to be published. Do we want automatic DNSSEC management to work or not? As for manual management how will the child zone operator be informed of what is happening? A managed removal would have Registries and Registrars informing Registrants of the new requirements. Also just not publishing SHA1 CDS is problematic as it may leave stranded DS if there are no other digest types configured. The removal of the DS RRset needs to be signaled in this case which is not mentioned. Similarly removal of generating RSASHA1 and NSEC3-RSASHA1-NSEC3 CDS records can also leave an empty CDS RRset leaving stranded DS records. -- Mark Andrews _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
