0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews CDS / CDNSKEY Child side processing.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* We need a mechanism to say that key should have a cds publish
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* We need a mechanism to say that key should have a cdnskey publish
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews - update K* files
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews records are only removed if there is a deletion date set (implicit on
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews matching DNSKEY going inactive / unpublished or explict).
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews Non-matching CDS and CDNSKEY are removed.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews records are only removed if there is a deletion date set (implicit on
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews matching DNSKEY going inactive / unpublished or explict).
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews is signing the DNSKEY RRset and ignore otherwise. This should be
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews done after all the update section records have been processed.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews that is being removed. This should be done after all the update
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews section records have been processed.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* Zone loading should perform sanity checks on CDS and CDNSKEY
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews records against the DNSKEY records. This will flow through into
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews dnssec-checkzone and "dnssec-checkconf -z". ignore/warn/fail
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews all / all SEP
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* rndc add the ability to say remove CDS / CDNSKEY.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* inline zones need to check CDS and CDNSKEY records in the raw zone and
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews filter non matching.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews This is is different to how non DNSKEY RRsets are usually signed
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews RFC 7344, 4.1.