cds-child revision 431e5c81dbd81cf411b9a187fa5f611f23c0e16f
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark AndrewsCopyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic UpdaterSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
bef75d63d74f58abc0f834ed271526672777ba29Automatic Updater CDS / CDNSKEY Child side processing.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User* We need a mechanism to say that key should have a cds publish
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews* We need a mechanism to say that key should have a cdnskey publish
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - update K* files
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater records are only removed if there is a deletion date set (implicit on
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater matching DNSKEY going inactive / unpublished or explict).
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater Non-matching CDS and CDNSKEY are removed.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater records are only removed if there is a deletion date set (implicit on
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User matching DNSKEY going inactive / unpublished or explict).
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater is signing the DNSKEY RRset and ignore otherwise. This should be
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater done after all the update section records have been processed.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater that is being removed. This should be done after all the update
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User section records have been processed.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User* Zone loading should perform sanity checks on CDS and CDNSKEY
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User records against the DNSKEY records. This will flow through into
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater dnssec-checkzone and "dnssec-checkconf -z". ignore/warn/fail
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User all / all SEP
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater* rndc add the ability to say remove CDS / CDNSKEY.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User* inline zones need to check CDS and CDNSKEY records in the raw zone and
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User filter non matching.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This is is different to how non DNSKEY RRsets are usually signed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User RFC 7344, 4.1.