Hi Jacques, On 04/23/2014 06:57 PM, Jacques Latour wrote: > "The Child may also remove old keys, but this document does not > support removing all keys." "When the Parent DS is "in-sync" with the > CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the > CDS / CDNSKEY record(s);" > > Read the whole thing a couple of times and it's not clear to me how > to remove one or more DS? Once "in-sync", If the parental agent
By removing the corresponding CDS/CDNSKEY from the CDS/CDNSKEY RRset. > polling/mechanism detect a CDS for an existing DS, or a CDNSKEY for a > matching DS, then you remove the DS but not if it's the last one? No: The parent would never remove a DS when it sees a CDS/CDNSKEY for an existing DS. > Right? Or there's a "ADD/DELETE" parameter to the proposed CDS and > CDNSKEY resource records to instruct the parental agent on the type > of operation to perform? Let me try to rephrase: The child can signal its desire to add DS records by publishing corresponding records in the CDS/CDNSKEY RRset. The child can also signal its desire to remove DS records by removing the corresponding records from the CDS/CDNSKEY RRset again. If the CDS/CDNSKEY RRset is in-sync with the DS RRset at the parent, the child MAY remove the CDS/CDNSKEY RRset from its zone. If the parent sees no CDS/CDNSKEY RRset published in the child's zone, this means there is no action to perform for the parent. Hence, this document does not support removing all DS records from the parent. Best regards, Matthijs > > Jack > >> -----Original Message----- From: DNSOP >> [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe Abley Sent: >> April-21-14 9:34 AM To: Warren Kumari Cc: dnsop; Paul Hoffman >> Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop- >> delegation-trust-maintainance >> >> >> On 16 Apr 2014, at 8:02, Warren Kumari <war...@kumari.net> wrote: >> >>> I think I made it even clearer: The first time a DNS operator >>> signs a zone, they need to communicate the keying material to >>> their parent through some out-of-band method to complete the >>> chain of trust. Depending on the desires of the parent, the child >>> might send their DNSKEY record, a DS record, or both. >> >> I don't think you mean "the first time a DNS operator signs a >> zone". You're making an assumption that a zone, once signed, will >> never be unsigned. In fact, a zone can be signed, then unsigned, >> any number of times. >> >> "Whenever a zone's insecure delegation is replaced by a secure >> delegation, the DNS operator needs to communicate the keying >> material..." >> >> >> Joe _______________________________________________ DNSOP mailing >> list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
