null

	cds-child revision 598b502695802c3d4e23316b85368e54f39f5cab
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder
25cc5fbba63f84b47e389af749f55abbbde71c8cChristian Maeder      CDS / CDNSKEY Child side processing.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder
25cc5fbba63f84b47e389af749f55abbbde71c8cChristian Maeder* We need a mechanism to say that key should have a cds publish
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  start/end dates.
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder* We need a mechanism to say that key should have a cdnskey publish
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  start/end dates
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder  - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  - update K* files
d8c71aacc9f1c8cd40a8ad8dcdad9be8854b849fChristian Maeder
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  DNSKEY is published and is signing the DNSKEY RRset.  CDS and CDNSKEY
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  records are only removed if there is a deletion date set (implicit on
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder  matching DNSKEY going inactive / unpublished or explict).
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder  Non-matching CDS and CDNSKEY are removed.
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder* auto-dnssec maintain should cds and/or cdnskey to zone apex iff the
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder  DNSKEY is published and is signing the DNSKEY RRset.   CDS and CDNSKEY
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder  records are only removed if there is a deletion date set (implicit on
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder  matching DNSKEY going inactive / unpublished or explict).
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich  is signing the DNSKEY RRset and ignore otherwise.  This should be
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich  done after all the update section records have been processed.
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich  ? how will this tie in with CDS/CDNSKEY sanity checks?  Only on fail?
96646aed2ae087b942ae23f15bbe729a8f7c43d3Christian Maeder
01e383014b555bbcf639c0ca60c5810b3eff83c0Christian Maeder* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski  that is being removed. This should be done after all the update
df29370ae8d8b41587957f6bcdcb43a3f1927e47Christian Maeder  section records have been processed.
bd54a9917cd87169b8e40bcc5616c537fed85815Christian Maeder
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich  ? how will this tie in with CDS/CDNSKEY sanity checks?  Only on fail?
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich
8c7a54ad8bf776a530ecf907a373d42415cf4faeChristian Maeder* Zone loading should perform sanity checks on CDS and CDNSKEY
ce8b15da31cd181b7e90593cbbca98f47eda29d6Till Mossakowski  records against the DNSKEY records.  This will flow through into
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder  dnssec-checkzone and "dnssec-checkconf -z".  ignore/warn/fail
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder  all / all SEP
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder* rndc add the ability to say remove CDS / CDNSKEY.
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder* inline zones need to check CDS and CDNSKEY records in the raw zone and
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder  filter non matching.
e8db9a65830cf71504e33c6f441a67b4d184a3caChristian Maeder
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder  This is is different to how non DNSKEY RRsets are usually signed
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder  RFC 7344, 4.1.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder