draft-ietf-dnsop-maintain-ds-05.txt   draft-ietf-dnsop-maintain-ds-06.txt 
dnsop O. Gudmundsson dnsop O. Gudmundsson
Internet-Draft CloudFlare Internet-Draft CloudFlare
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: July 14, 2017 Red Hat Expires: July 14, 2017 Red Hat
January 10, 2017 January 10, 2017
Managing DS records from parent via CDS/CDNSKEY Managing DS records from parent via CDS/CDNSKEY
draft-ietf-dnsop-maintain-ds-05 draft-ietf-dnsop-maintain-ds-06
Abstract Abstract
RFC7344 specifies how DNS trust can be maintained across key RFC7344 specifies how DNS trust can be maintained across key
rollovers in-band between parent and child. This document elevates rollovers in-band between parent and child. This document elevates
RFC7344 from informational to standards track and adds a standard RFC7344 from informational to standards track and adds a standard
track method for initial trust setup and removal of secure entry track method for initial trust setup and removal of secure entry
point. point.
Changing a domain's DNSSEC status can be a complicated matter Changing a domain's DNSSEC status can be a complicated matter
skipping to change at page 7, line 42 skipping to change at page 7, line 42
1 CDS 0 0 0 0 1 CDS 0 0 0 0
2 CDNSKEY 0 3 0 0 2 CDNSKEY 0 3 0 0
The keying material payload is represented by a single 0. This The keying material payload is represented by a single 0. This
record is signed in the same way as regular CDS/CDNSKEY RRsets are record is signed in the same way as regular CDS/CDNSKEY RRsets are
signed. This is a change in format from strict interpretation of signed. This is a change in format from strict interpretation of
[RFC7344] and may cause problems with some deployed software. [RFC7344] and may cause problems with some deployed software.
Strictly speaking the CDS record could be "CDS X 0 X" as only the Strictly speaking the CDS record could be "CDS X 0 X 0" as only the
DNSKEY algorithm is what signals the DELETE operation, but for DNSKEY algorithm is what signals the DELETE operation, but for
clarity the "0 0 0" notation is mandated - this is not a definition clarity the "0 0 0 0" notation is mandated - this is not a definition
of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3 of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3
0", the value 3 in second field is mandated by [RFC4034] section 0 0", the value 3 in second field is mandated by [RFC4034] section
2.1.2. 2.1.2.
Once the parent has verified the CDS/CDNSKEY RRset and it has passed Once the parent has verified the CDS/CDNSKEY RRset and it has passed
other acceptance tests, the parent MUST remove the DS RRset. After other acceptance tests, the parent MUST remove the DS RRset. After
waiting a sufficient amount of time - depending on the parental TTL's waiting a sufficient amount of time - depending on the parental TTL's
- the child can start the process of turning off DNSSEC. - the child can start the process of turning off DNSSEC.
5. Security considerations 5. Security considerations
Turning off DNSSEC reduces the security of the domain and thus should Turning off DNSSEC reduces the security of the domain and thus should
 End of changes. 4 change blocks. 
4 lines changed or deleted 4 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/