[dns-operations] DS RR in authoritative NS?
warren at kumari.net
Mon Aug 10 23:16:25 UTC 2015
On Friday, August 7, 2015, Casey Deccio <casey at deccio.net> wrote:
> On Fri, Aug 7, 2015 at 1:02 PM, Jim Popovitch <jimpop at gmail.com
>> Looking for best practice advice on whether or not an authoritative NS
>> should publish DS RRs.
> The zone authoritative for DS records is the parent zone (RFC 4033,
> section 2, "Authoritative RRset"). So, if you want a secure link between
> parent and child, then you publish the DS records in the parent. But you
> never publish them in the child; it would be considered out-of-zone data.
Although you can publish a CDS record (
https://tools.ietf.org/html/rfc7344 ) in
the child. This is intended to allow the parent to scrape the child to
allow easier/ more automated key rollover.
It won't actually accomplish anything yet, but, well...
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations