[dns-operations] DS RR in authoritative NS?

Warren Kumari warren at kumari.net
Mon Aug 10 23:16:25 UTC 2015

On Friday, August 7, 2015, Casey Deccio <casey at deccio.net> wrote:

> On Fri, Aug 7, 2015 at 1:02 PM, Jim Popovitch <jimpop at gmail.com
> <javascript:_e(%7B%7D,'cvml','jimpop at gmail.com');>> wrote:
>> Looking for best practice advice on whether or not an authoritative NS
>> should publish DS RRs.
> The zone authoritative for DS records is the parent zone (RFC 4033,
> section 2, "Authoritative RRset").  So, if you want a secure link between
> parent and child, then you publish the DS records in the parent.  But you
> never publish them in the child; it would be considered out-of-zone data.

Although you can publish a CDS record (
https://tools.ietf.org/html/rfc7344 ) in
the child. This is intended to allow the parent to scrape the child to
allow easier/ more automated key rollover.

It won't actually accomplish anything yet, but, well...


> Cheers,
> Casey

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150810/476c85c5/attachment.html>

More information about the dns-operations mailing list