7a665402a5e822ba0c6b95713560520024954532Danny MayerCopyright (C) 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
7a665402a5e822ba0c6b95713560520024954532Danny MayerThis Source Code Form is subject to the terms of the Mozilla Public
7a665402a5e822ba0c6b95713560520024954532Danny MayerLicense, v. 2.0. If a copy of the MPL was not distributed with this
7a665402a5e822ba0c6b95713560520024954532Danny Mayerfile, You can obtain one at http://mozilla.org/MPL/2.0/.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer CDS / CDNSKEY Child side processing.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* We need a mechanism to say that key should have a cds publish
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* We need a mechanism to say that key should have a cdnskey publish
7a665402a5e822ba0c6b95713560520024954532Danny Mayer - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
7a665402a5e822ba0c6b95713560520024954532Danny Mayer - update K* files
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
7a665402a5e822ba0c6b95713560520024954532Danny Mayer DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
7a665402a5e822ba0c6b95713560520024954532Danny Mayer records are only removed if there is a deletion date set (implicit on
7a665402a5e822ba0c6b95713560520024954532Danny Mayer matching DNSKEY going inactive / unpublished or explict).
7a665402a5e822ba0c6b95713560520024954532Danny Mayer Non-matching CDS and CDNSKEY are removed.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
7a665402a5e822ba0c6b95713560520024954532Danny Mayer DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
7a665402a5e822ba0c6b95713560520024954532Danny Mayer records are only removed if there is a deletion date set (implicit on
7a665402a5e822ba0c6b95713560520024954532Danny Mayer matching DNSKEY going inactive / unpublished or explict).
? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
dnssec-checkzone and "dnssec-checkconf -z". ignore/warn/fail