407N/A CDS / CDNSKEY Child side processing.
407N/A* We need a mechanism to say that key should have a cds publish
407N/A* We need a mechanism to say that key should have a cdnskey publish
407N/A - update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
407N/A* dnssec-signzone should add cds
and/or cdnskey to zone apex iff the
407N/A DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
407N/A records are only removed if there is a deletion date set (implicit on
407N/A matching DNSKEY going inactive / unpublished or explict).
407N/A Non-matching CDS and CDNSKEY are removed.
407N/A* auto-dnssec maintain should cds
and/or cdnskey to zone apex iff the
407N/A DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
407N/A records are only removed if there is a deletion date set (implicit on
2282N/A matching DNSKEY going inactive / unpublished or explict).
407N/A* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
407N/A is signing the DNSKEY RRset and ignore otherwise. This should be
407N/A done after all the update section records have been processed.
407N/A* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
407N/A that is being removed. This should be done after all the update
844N/A section records have been processed.
407N/A* Zone loading should perform sanity checks on CDS and CDNSKEY
2899N/A records against the DNSKEY records. This will flow through into
407N/A* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
407N/A* rndc add the ability to say remove CDS / CDNSKEY.
407N/A* inline zones need to check CDS and CDNSKEY records in the raw zone and
407N/A* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
407N/A This is is different to how non DNSKEY RRsets are usually signed