On Mon, 27 Jun 2022, Peter Thomassen wrote:
In a multi-signer setup, this means that a single provider can (accidentally or maliciously) roll the DS record at the parent.
That's a good point.
I thus propose to update RFC 7344 along the lines of (2), such that it is REQUIRED to retrieve CDS/CDNSKEY records using queries to all authoritative nameservers.
The question is now how to phrase this exactly. Do we want the parent to use its "external" knowledge of NS records of the child - eg from its WHOIS data? That would be clean and simple. Or are we okay that it queries for the NS records to get the list ? If so, it would need to require DNSSEC for the NS RRset, but there might be more than one validly signed NS RRset if these nameservers are out of sync. In that case, which of these is the intended one?
Such a change would also prevent CDS/CDNSKEY loops, where one secondary has a replication issue and keeps announcing an old C* RRset (and the parent happens to retrieve alternating information during daily scans, for example).
Also a good point.
Does the WG think this is a reasonable thing to pursue?
I think this could be an excellent super short RFC that Updates: 7344. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
