The IESG has approved the following document: - 'Clarifications on CDS/CDNSKEY and CSYNC Consistency' (draft-ietf-dnsop-cds-consistency-11.txt) as Proposed Standard
This document is the product of the Domain Name System Operations Working Group. The IESG contact persons are Mahesh Jethanandani and Mohamed Boucadair. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ Technical Summary Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. For the case of DS records, "Automating DNSSEC Delegation Trust Maintenance" (RFC 7344) provides automation by allowing the child to publish CDS and/or CDNSKEY records holding the prospective DS parameters which the parent can ingest. Similarly, "Child-to-Parent Synchronization in DNS" (RFC 7477) specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g., Registries and Registrars) can query these records from the child and, after validation, use them to update the parent- side Resource Record Sets (RRsets) of the delegation. This document specifies that when performing such queries, parent- side entities has to ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. This document updates RFC 7344 and RFC 7477. Working Group Summary There was no controversary during the development of the document in the WG. Comments from the WG and from the DNS Directorate Early Review, in particular, were adequately addressed. Document Quality This draft has been implemented by: * TANGO Registry Services * CORE Registry Also, Oli Schafer reported on the WG mailing list: "We (Switch, ch./li.) implemented CDS consistency checking based on this draft in our CDS record scanner." Personnel The Document Shepherd for this document is Ondřej Surý. The Responsible Area Director is Mohamed Boucadair. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
