Similarly if CDNSKEY becomes empty after removing RSASHA1 publishing removal CDNSKEY records should be done to prevent orphaned DS records. -- Mark Andrews
> El 5 ago 2025, a las 4:30, Mark Andrews <[email protected]> escribió: > > Also not copying CDS to DS unchanged in the parent will break automatic > DNSKEY rolls as children will stall waiting for the updated matching DS set > to be published. > > Similarly not copying RSASHA1 CDS to DS unchanged will break automatic DNSKEY > rolls as children will stall waiting for the updated matching DS set to be > published. > > Do we want automatic DNSSEC management to work or not? > > As for manual management how will the child zone operator be informed of what > is happening? > > A managed removal would have Registries and Registrars informing Registrants > of the new requirements. > > Also just not publishing SHA1 CDS is problematic as it may leave stranded DS > if there are no other digest types configured. The removal of the DS RRset > needs to be signaled in this case which is not mentioned. > > Similarly removal of generating RSASHA1 and NSEC3-RSASHA1-NSEC3 CDS records > can also leave an empty CDS RRset leaving stranded DS records. > > > > -- > Mark Andrews _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
