Dear DNSOP, This revision incorporates the feedback from IETF 114, specifically that the CDS/CDNSKEY consistency check should be tolerant towards servers that don't serve these records or that are unresponsive.
It occurred to me that the same (and in a way, worse) problem exists with CSYNC. I therefore extended the draft so that it covers both CDS/CDNSKEY and CSYNC processing, spelled out in dedicated sections. To clarify the scope of the problem, I also added a "Failure Scenarios" section that describes what can happen if consistency is not ensured. Without some kind of consistency check, it's rather dangerous to run a multi-homed DNSSEC setup or to do a provider change for a secure delegation. (It's just not safe enough against accidents.) I thus think we should make these implications widely known, before more child scanning is deployed in unsafe ways. I'm looking forward to your feedback. Thanks, Peter -------- Forwarded Message -------- Subject: New Version Notification for draft-thomassen-dnsop-cds-consistency-01.txt Date: Wed, 14 Sep 2022 17:44:59 -0700 From: internet-dra...@ietf.org To: Peter Thomassen <peter.thomas...@securesystems.de> A new version of I-D, draft-thomassen-dnsop-cds-consistency-01.txt has been successfully submitted by Peter Thomassen and posted to the IETF repository. Name: draft-thomassen-dnsop-cds-consistency Revision: 01 Title: Consistency for CDS/CDNSKEY and CSYNC is Mandatory Document date: 2022-09-15 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-01.txt Status: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-cds-consistency/ Html: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-01.html Htmlized: https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-cds-consistency Diff: https://www.ietf.org/rfcdiff?url2=draft-thomassen-dnsop-cds-consistency-01 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. [RFC7344] automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, CSYNC records indicate a desired update of the delegation's NS records [RFC7477]. Parent-side entities (e.g. Registries, Registrars) typically discover these records by periodically querying them from the child ("polling"), before using them to update the delegation's parameters. This document specifies that if polling is used, parent-side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records.
The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
