Hi Matthijs,
On 6/20/23 07:30, Matthijs Mekking wrote:
From the draft:
For example, a single provider may (accidentally or
maliciously) cause another provider's trust anchors and/or
nameservers to be removed from the delegation.
This is exactly what happened in my test environment
Interesting to hear that it is not a hypothetical problem!
The existing documents lack any words on where specifically to query for
CDS/CDNSKEY, and also what to do in case of inconsistencies.
Section 3.1 says:
To retrieve a Child's CDS/CDNSKEY RRset for DNSSEC delegation trust
maintenance, the Parental Agent, knowing both the Child zone name and
its NS hostnames, MUST ascertain that queries are made against all of
the nameservers listed in the Child's delegation from the Parent
That is: once from each NS hostname, but not necessarily from all IP addresses
(we can discuss that), and even less from all Anycast instances (there's no way
to do that).
Does that clarify the issue?
Thanks,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
