upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-10 18:28:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/design/cds-child
Matthijs Mekking 10bb8f92a1 Remove auto-dnssec from documentation 
Update the ARM and DNSSEC guide, removing references to 'auto-dnssec',
replacing them with 'dnssec-policy' if needed.

The section "Alternative Ways" of signing has to be refactored, since
we now only focus on one alternative way, that is manual signing.
2023-07-20 11:04:24 +02:00

65 lines
2.4 KiB
Text
Raw Blame History

<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
CDS / CDNSKEY Child side processing.
* We need a mechanism to say that key should have a cds publish
start/end dates.
* We need a mechanism to say that key should have a cdnskey publish
start/end dates
- update dnssec-settime, dnssec-keygen, dnssec-keyfromlabel
- update K* files
* dnssec-signzone should add cds and/or cdnskey to zone apex iff the
DNSKEY is published and is signing the DNSKEY RRset. CDS and CDNSKEY
records are only removed if there is a deletion date set (implicit on
matching DNSKEY going inactive / unpublished or explicit).
Non-matching CDS and CDNSKEY are removed.
* dnssec-policy publishes cds and/or cdnskey to zone apex iff the
DNSKEY is published, is signing the DNSKEY RRset, and if it has been
propagated into caches.
CDS and CDNSKEY records are removed if the corresponding DNSKEY has
been removed from zone and caches.
* UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
is signing the DNSKEY RRset and ignore otherwise. This should be
done after all the update section records have been processed.
? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
* UPDATE should remove CDS and CDNSKEY records that match a DNSKEY
that is being removed. This should be done after all the update
section records have been processed.
? how will this tie in with CDS/CDNSKEY sanity checks? Only on fail?
* Zone loading should perform sanity checks on CDS and CDNSKEY
records against the DNSKEY records. This will flow through into
dnssec-checkzone and "dnssec-checkconf -z". ignore/warn/fail
* rndc add the ability to say generate CDS / CDNSKEY along with a key list /
all / all SEP
* rndc add the ability to say remove CDS / CDNSKEY.
* inline zones need to check CDS and CDNSKEY records in the raw zone and
filter non matching.
* CDS and CDNSKEY must be signed by a DNSKEY which matches parent DS record.
This is is different to how non DNSKEY RRsets are usually signed
RFC 7344, 4.1.
Reference in a new issue View git blame Copy permalink