-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 op 12-04-14 00:06, Warren Kumari schreef: > The parent should use whichever one they choose, but MUST NOT query > for both and perform consistency checks between the CDS and CDNSKEY > records." > > "A parent MUST NOT perform a consistency check between CDS and > CDNSKEY (other than for informational / debugging use)."
I want this part deleted. Whether or not parents do DNS protocol verification is local policy and up to the parent. While pedantic to some, it may serve a local need to others. An RFC is not the place to enforce a specific local policy to parents that annoys only a certain part of the DNS community. Just state how the protocol works, but do not state it may or may not be verified. This protocol does not only work for TLD registries, but especially also lower down the tree, and I know protocol verification is a reasonable requirement there for certain use cases. If you're not happy with that local policy, choose a different parent or complain to your local parent, not the IETF. You can publish a CDNSKEY or CDS or both. If you publish both, they MUST match. I can live with this line (watch the "MAY"): "The parent MAY choose to only accept either CDS or CDNSKEY records (based upon local policy), but MUST NOT expect there to be both." Because it is perfectly sane from a protocol perspective to only have one type and not the other if you know the local policy of your parent or have a preference as a child in case they accept both. Since CDNSKEY and CDS MUST match, the parent can: - -accept CDNSKEY and only receive CDNSKEY - -accept CDS and only receive CDS - -accept both and have a preference for CDNSKEY if they receive both - -accept both and have a preference for CDS if they receive both - -accept both and use CDNSKEY if they only receive CDNSKEY - -accept both and use CDS if they only receive CDS - -accept CDNSKEY and not verify if they receive both - -accept CDS and not verify is they receive both - -accept CDNSKEY and verify if they recieve both - -accept CDS and verify if they receive both - -..... - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: antoin.verschu...@sidn.nl XMPP: antoin.verschu...@jabber.sidn.nl HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJTS6nlAAoJEDqHrM883Agnxt0H/iuHR1uKJA4NbAnF6MFHrl3r DF4q4q8iwKtw+UF7FesilqvrnlU8cn9wTODhWLqPI+DZWKPYEZ/PnxX8FJs0FvfF YlS6WIsvLT6+7tx8+hMFrnCA322WNx/TM9bkB1oPRGlyttEZmRvCTUwbhx3aMr/0 g8cihBANsHzJC6miFVN/MRSxQmw11qNiMc52QxxGMk6KPfeAGhOyHQ00FDEj0Ntg zrQuIKtI+z3EWqZfB7jl3i4Biq0idCMOJg2UZcIZH/NquT44Wv6q4eylNV36usZc CCtQOMJajjm3xow1R3F6iTjsVS+vBuWGagL+jVItOo3YfzIrm5Di/k9bbQ0B7hw= =5haO -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
