[dns-operations] DS RR in authoritative NS?
Warren Kumari
warren at kumari.net
Mon Aug 10 23:16:25 UTC 2015
On Friday, August 7, 2015, Casey Deccio <casey at deccio.net> wrote:
> On Fri, Aug 7, 2015 at 1:02 PM, Jim Popovitch <jimpop at gmail.com
> <javascript:_e(%7B%7D,'cvml','jimpop at gmail.com');>> wrote:
>
>> Looking for best practice advice on whether or not an authoritative NS
>> should publish DS RRs.
>
>
> The zone authoritative for DS records is the parent zone (RFC 4033,
> section 2, "Authoritative RRset"). So, if you want a secure link between
> parent and child, then you publish the DS records in the parent. But you
> never publish them in the child; it would be considered out-of-zone data.
>
Although you can publish a CDS record (
https://tools.ietf.org/html/rfc7344 ) in
the child. This is intended to allow the parent to scrape the child to
allow easier/ more automated key rollover.
It won't actually accomplish anything yet, but, well...
W
> Cheers,
> Casey
>
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150810/476c85c5/attachment.html>
More information about the dns-operations
mailing list