Cross Reference: /bind-9.11.3/doc/design/cds-child

7a665402a5e822ba0c6b95713560520024954532Danny MayerCopyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny MayerThis Source Code Form is subject to the terms of the Mozilla Public
7a665402a5e822ba0c6b95713560520024954532Danny MayerLicense, v. 2.0. If a copy of the MPL was not distributed with this
7a665402a5e822ba0c6b95713560520024954532Danny Mayerfile, You can obtain one at http://mozilla.org/MPL/2.0/.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer      CDS / CDNSKEY Child side processing.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* We need a mechanism to say that key should have a cds publish
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  start/end dates.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* We need a mechanism to say that key should have a cdnskey publish
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  start/end dates
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  - update K* files
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  DNSKEY is published and is signing the DNSKEY RRset.  CDS and CDNSKEY
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  records are only removed if there is a deletion date set (implicit on
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  matching DNSKEY going inactive / unpublished or explict).
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  Non-matching CDS and CDNSKEY are removed.
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
7a665402a5e822ba0c6b95713560520024954532Danny Mayer* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  DNSKEY is published and is signing the DNSKEY RRset.   CDS and CDNSKEY
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  records are only removed if there is a deletion date set (implicit on
7a665402a5e822ba0c6b95713560520024954532Danny Mayer  matching DNSKEY going inactive / unpublished or explict).
7a665402a5e822ba0c6b95713560520024954532Danny Mayer
* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
  is signing the DNSKEY RRset and ignore otherwise.  This should be
  done after all the update section records have been processed.

  ? how will this tie in with CDS/CDNSKEY sanity checks?  Only on fail?

* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
  that is being removed. This should be done after all the update
  section records have been processed.

  ? how will this tie in with CDS/CDNSKEY sanity checks?  Only on fail?

* Zone loading should perform sanity checks on CDS and CDNSKEY
  records against the DNSKEY records.  This will flow through into
  dnssec-checkzone and "dnssec-checkconf -z".  ignore/warn/fail

* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
  all / all SEP

* rndc add the ability to say remove CDS / CDNSKEY.

* inline zones need to check CDS and CDNSKEY records in the raw zone and
  filter non matching.

* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
  This is is different to how non DNSKEY RRsets are usually signed
  RFC 7344, 4.1.