Also not copying CDS to DS unchanged in the parent will break automatic DNSKEY 
rolls as children will stall waiting for the updated matching DS set to be 
published.  

Similarly not copying RSASHA1 CDS to DS unchanged will break automatic DNSKEY 
rolls as children will stall waiting for the updated matching DS set to be 
published.

Do we want automatic DNSSEC management to work or not?

As for manual management how will the child zone operator be informed of what 
is happening?

A managed removal would have Registries and Registrars informing Registrants of 
the new requirements. 

Also just not publishing SHA1 CDS is problematic as it may leave stranded DS if 
there are no other digest types configured.  The removal of the DS RRset needs 
to be signaled in this case which is not mentioned.

Similarly removal of generating RSASHA1 and NSEC3-RSASHA1-NSEC3 CDS records can 
also leave an empty CDS RRset leaving stranded DS records. 



-- 
Mark Andrews
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to