[dns-operations] Should parents look for CDNSKEY or CDS, or both?

Hugo Salgado hsalgado at vulcano.cl
Wed Oct 15 00:34:57 UTC 2025 

On 23:08 14/10, Viktor Dukhovni wrote:
> On Tue, Oct 14, 2025 at 11:09:59AM +0200, Peter Thomassen via dns-operations wrote:
> 
> > Section 6.1:
> > 
> >    2.  Parents, independently of their preference for CDS or CDNSKEY,
> >        SHOULD require publication of both RRsets, and SHOULD NOT proceed
> >        with updating the DS RRset if one is found missing or
> >        inconsistent with the other.
> > 
> > While this at first glance indeed may seem like a not-so-good idea,
> > there are some arguments why the alternative may be an even worse
> > idea. An analysis of the problem is given in Section 6.2, which for
> > convenience I'm pasting below.
> > 
> > It would be extremely helpful to learn what's the view of DNSOP
> > participants on this matter, so you are invited :-)
> > 
> > Several notes:
> > 
> > a) The draft is only for new deployments of DS automation; it is not
> >    trying to create work for existing ones.
> > 
> > b) The previous recommendation tells children to publish both; this
> >    one is about the parent-side enforcement.
> > 
> > c) A misconception (to be clarified in the draft): the above does not
> >    prevent the parent from choosing a digest type that's not in CDS. It
> >    requires only that both RRsets exist and refer to the same keys, not
> >    that the parent uses the exact digest types for the DS RRset.
> 
> My instinct is that the proposed requirements are needlessly strong, if
> a child publishes CDNSKEY, there is nothing to be gained by the parent
> also *mandating* corresponding CDS records.  Yes, the child SHOULD
> publish both, just in case the parent only supports CDS, but since
> parents are expedcted to process both when both are published, until
> and unless CDNSKEY is deprecated, I don't see a need to publish both.
> 
> If a child zone wants to enable CDS as a sanity check, fine, but, if
> not, CDNSKEY should I think suffice.
> 

I agree with Viktor. There are currently registries that only accept
DNSKEY from their children. In those cases, a child could just publish
CDNSKEY and it makes no sense to require both parent and child to check
CDS existance. It's a new requirement that doesn't exist in the current
"out-of-band" protocol.

Hugo

More information about the dns-operations mailing list