"The Child may also remove old keys, but this document does not support removing all keys." "When the Parent DS is "in-sync" with the CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the CDS / CDNSKEY record(s);"
Read the whole thing a couple of times and it's not clear to me how to remove one or more DS? Once "in-sync", If the parental agent polling/mechanism detect a CDS for an existing DS, or a CDNSKEY for a matching DS, then you remove the DS but not if it's the last one? Right? Or there's a "ADD/DELETE" parameter to the proposed CDS and CDNSKEY resource records to instruct the parental agent on the type of operation to perform? Jack > -----Original Message----- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe Abley > Sent: April-21-14 9:34 AM > To: Warren Kumari > Cc: dnsop; Paul Hoffman > Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop- > delegation-trust-maintainance > > > On 16 Apr 2014, at 8:02, Warren Kumari <war...@kumari.net> wrote: > > > I think I made it even clearer: > > The first time a DNS operator signs a zone, they need to communicate > > the keying material to their parent through some out-of-band method to > > complete the chain of trust. Depending on the desires of the parent, > > the child might send their DNSKEY record, a DS record, or both. > > I don't think you mean "the first time a DNS operator signs a zone". You're > making an assumption that a zone, once signed, will never be unsigned. In > fact, a zone can be signed, then unsigned, any number of times. > > "Whenever a zone's insecure delegation is replaced by a secure delegation, > the DNS operator needs to communicate the keying material..." > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
