[dns-operations] Should parents look for CDNSKEY or CDS, or both?

Peter Thomassen peter at desec.io
Mon Oct 20 11:22:32 UTC 2025 

Hi,

Thank you both of you for your feedback.

Just a heads-up: It seems like consensus (also in DNSOP) is to remove recommendation, so I've done so in the current revision. For details, see https://mailarchive.ietf.org/arch/msg/dnsop/95p3c_nPddmSFVskOuxL7Z5kWfU/.

If you have any other feedback on the questions listed in that message, please respond on DNSOP. Thanks!

Best,
Peter


On 10/15/25 02:34, Hugo Salgado wrote:
> On 23:08 14/10, Viktor Dukhovni wrote:
>> On Tue, Oct 14, 2025 at 11:09:59AM +0200, Peter Thomassen via dns-operations wrote:
>>
>>> Section 6.1:
>>>
>>>     2.  Parents, independently of their preference for CDS or CDNSKEY,
>>>         SHOULD require publication of both RRsets, and SHOULD NOT proceed
>>>         with updating the DS RRset if one is found missing or
>>>         inconsistent with the other.
>>>
>>> While this at first glance indeed may seem like a not-so-good idea,
>>> there are some arguments why the alternative may be an even worse
>>> idea. An analysis of the problem is given in Section 6.2, which for
>>> convenience I'm pasting below.
>>>
>>> It would be extremely helpful to learn what's the view of DNSOP
>>> participants on this matter, so you are invited :-)
>>>
>>> Several notes:
>>>
>>> a) The draft is only for new deployments of DS automation; it is not
>>>     trying to create work for existing ones.
>>>
>>> b) The previous recommendation tells children to publish both; this
>>>     one is about the parent-side enforcement.
>>>
>>> c) A misconception (to be clarified in the draft): the above does not
>>>     prevent the parent from choosing a digest type that's not in CDS. It
>>>     requires only that both RRsets exist and refer to the same keys, not
>>>     that the parent uses the exact digest types for the DS RRset.
>>
>> My instinct is that the proposed requirements are needlessly strong, if
>> a child publishes CDNSKEY, there is nothing to be gained by the parent
>> also *mandating* corresponding CDS records.  Yes, the child SHOULD
>> publish both, just in case the parent only supports CDS, but since
>> parents are expedcted to process both when both are published, until
>> and unless CDNSKEY is deprecated, I don't see a need to publish both.
>>
>> If a child zone wants to enable CDS as a sanity check, fine, but, if
>> not, CDNSKEY should I think suffice.
>>
> 
> I agree with Viktor. There are currently registries that only accept
> DNSKEY from their children. In those cases, a child could just publish
> CDNSKEY and it makes no sense to require both parent and child to check
> CDS existance. It's a new requirement that doesn't exist in the current
> "out-of-band" protocol.
> 
> Hugo
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

More information about the dns-operations mailing list