[dns-operations] Should parents look for CDNSKEY or CDS, or both?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Oct 14 12:08:14 UTC 2025
On Tue, Oct 14, 2025 at 11:09:59AM +0200, Peter Thomassen via dns-operations wrote:
> Section 6.1:
>
> 2. Parents, independently of their preference for CDS or CDNSKEY,
> SHOULD require publication of both RRsets, and SHOULD NOT proceed
> with updating the DS RRset if one is found missing or
> inconsistent with the other.
>
> While this at first glance indeed may seem like a not-so-good idea,
> there are some arguments why the alternative may be an even worse
> idea. An analysis of the problem is given in Section 6.2, which for
> convenience I'm pasting below.
>
> It would be extremely helpful to learn what's the view of DNSOP
> participants on this matter, so you are invited :-)
>
> Several notes:
>
> a) The draft is only for new deployments of DS automation; it is not
> trying to create work for existing ones.
>
> b) The previous recommendation tells children to publish both; this
> one is about the parent-side enforcement.
>
> c) A misconception (to be clarified in the draft): the above does not
> prevent the parent from choosing a digest type that's not in CDS. It
> requires only that both RRsets exist and refer to the same keys, not
> that the parent uses the exact digest types for the DS RRset.
My instinct is that the proposed requirements are needlessly strong, if
a child publishes CDNSKEY, there is nothing to be gained by the parent
also *mandating* corresponding CDS records. Yes, the child SHOULD
publish both, just in case the parent only supports CDS, but since
parents are expedcted to process both when both are published, until
and unless CDNSKEY is deprecated, I don't see a need to publish both.
If a child zone wants to enable CDS as a sanity check, fine, but, if
not, CDNSKEY should I think suffice.
--
Viktor. 🇺🇦 Слава Україні!
More information about the dns-operations
mailing list