The document also fails to mention CDS and CDNSKEY both of which are used to generate DS records. Lack of guidance here will result in bad outcomes as orphaned DS will occur.
"MUST NOT generate CDS records with digest type SHA1.” is implementable today assuming that is not the only digest type. If SHA1 is the only digest type being used to generate CDS records then "CDS 0 0 0 00” needs to be published. "MUST NOT generate CDS records with algorithm RSASHA1 or NSEC3-RSASHA1-NSEC3” requires careful processing. If there are other algorithms for the zone then they can be removed in a straight forward manner. If there are no other algorithms in the CDS set then "CDS 0 0 0 00” needs to be published. "MUST NOT generate CDNSKEY records with algorithm RSASHA1 or NSEC3-RSASHA1-NSEC3” is equally problematic with “CDNSKEY 0 3 0 AA==“ needing to be published if there aren’t any other algorithms remaining. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
