[DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-ds-automation-08: (with DISCUSS and COMMENT)

Peter Thomassen <peter@desec.io> Wed, 20 May 2026 16:48 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F247CF1B56B8; Wed, 20 May 2026 09:48:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779295738; bh=+l1oM8V2+DzxxkEzAqPimX2SqeFOvU5ZmCi7JBq1mpw=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=U2HThIxhQz6yADkVOr3bKSodK/adKkP+tX3WwHhzX+gBJ0rR5DiWMS38YfxpXoSVs +OsE69ZXOkGJ+Ie0BgFql9TIvGRQkcTu6R1WICTe5omDGQ6moJy8JssRbs1R7/394A 1IDQutU4PA6ieuDjyoqZIALVUA4j2BzZVjGGVa/c=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqTI6zqLmHcQ; Wed, 20 May 2026 09:48:57 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BFF20F1B496B; Wed, 20 May 2026 09:45:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=I0IKv/DvvWj5pdwnIoURnkf/h5VWYnb2OYmDvIJOmX4=; b=vYyc3jaF/3muGjIpC/1FmYWuMJ jK5+EngfFF0Yp4w+sObaOao1gLWSl0uuDm62GOV/pcHSGYyq2tsgth55CVhe1GvbmJ5uYZJzGQFw2 hfS4tTr1Q+TiG2m0rn28POgHAhBOuE2eMrSDM9Bt3vV+au8Ne5W7Ut6Ff3xma1cRSAHlKGWToBEYY ZcXiMwGitIoR+os5xiN12YNXtPenCp5qM9R3RsBBz1oxrQjb2JpCzQVjUmSP7daQyjd7LIYv092BY wTV3uGcaPpwhHWF9d/4Z2KhGjudD+vwV+xxri14BBglWvGre6BofZJCVGya6K0tbpY3JpvlSCcJOs MI69F9yw==;
Received: from [2a00:20:635a:efae:aebc:fb80:2771:57e4] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1wPk34-0000000DSRH-1Sne; Wed, 20 May 2026 18:45:34 +0200
Message-ID: <469a2f81-e4b2-4d5b-b541-afa078cd8f2c@desec.io>
Date: Wed, 20 May 2026 18:45:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Andy Newton <andy@hxr.us>, The IESG <iesg@ietf.org>
References: <177923004209.585.3418420922155603562@dt-datatracker-7688897f84-hmm7m> <b35fa2e7-f907-4e12-9df3-25aa1cf80990@desec.io> <3e05747a-810d-4d69-ac77-10562ae4df0c@hxr.us>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <3e05747a-810d-4d69-ac77-10562ae4df0c@hxr.us>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: G3OCRQUKQWX7N2HOJ55M5YDQRYEQ4LHX
X-Message-ID-Hash: G3OCRQUKQWX7N2HOJ55M5YDQRYEQ4LHX
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-ds-automation@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-ds-automation-08: (with DISCUSS and COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4y1y1pQ5VPBl5-EXPRkLLxtNN9A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Andy,

Thanks for looking into my responses in detail.

Based on your suggestions, I've elevated one "SHOULD NOT" to "MUST NOT" (see below).

In total, there are now 8 MUST-level requirements in the new document.

The changes from this review are summarized in https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/fe21c692f0e8c72840cf0514099a0bbcac869b67.

The rendered diff is currently visible at https://author-tools.ietf.org/iddiff?url1=draft-ietf-dnsop-ds-automation-08&url2=https://desec-io.github.io/draft-ietf-dnsop-ds-automation/draft-ietf-dnsop-ds-automation.txt.

On 5/20/26 15:38, Andy Newton wrote:
>>> #### 5-15 Minutes
>>>
>>> 240        2.  Parent-side entities (such as registries) SHOULD reduce a DS
>>> 241            record set's TTL to a value between 5–15 minutes when a new set
>>> 242            of records is published, and restore the normal TTL value at a
>>> 243            later occasion (but not before the previous DS RRset's TTL has
>>> 244            expired).
>>>
>>> Why isn't this a MUST? It is a SHOULD for both behaviors (the 5-15 minute TTL)
>>> and the restoration of the TTL. At the very least, it seems the restoration of
>>> the "normal" TTL value is a MUST. However, why isn't the 5-15 minute value a
>>> MUST? Otherwise an operator can set it to 5 years justified with "because I
>>> just wanted it that way". If the SHOULD is to remain, isn't there a reasonable
>>> upper boundary behavior such as not being greater than the normal TTL value?
>>
>> Two thoughts:
>>
>> - TTLs accepted by resolvers are bounded in practice. Most do not accept arbitrarily long TTLs, as that has other security issues such as retaining a hijacked delegation beyond its actual removal. I can collect numbers if needed, but my recollection is that TTLs over 1-2d are not honored in practice.
>>
>> - The above resolver-side constraint aside, parents can set whatever TTLs they want, even without DS automation. DS automation does not change that. The point of this provision in the document is to mitigate the impact of a botched DS update, not to give general recommendations about what TTLs should be used in a TLD registry. (In practice, TTLs in TLD zones vary between 1h and 48h.)
>>
>> - It's not a MUST because there is no problem if the registry uses a TTL of 20 or 30 minutes permanently, for example. Also, when DS automation is performed by the registrar, the registrar may not have the ability to enforce TTL adjustment. -- Now one could say that the document should take the stance that DS automation is to be done by registries and not registrars. However, getting into that discussion was very very clearly rejected by many participants: the registries and registrars want to sort out these responsibilities between themselves. And indeed, it's a business decision, not primarily a technical one.
> 
> If there are no interoperability issues with the registry setting 30 minutes as the TTL value, which is outside the 5 to 15 minute suggestion, then this is not a normative requirement and the SHOULD is to be lower-cased and/or changed to use non-BCP14 language.

Taking the DISCUSS seriously, please excuse me for mounting a discussion ;-) I will lay out my understanding but eventually defer as I don't have the necessary context on which documents may (not) make which particular use of these key words across IETF areas. Other ADs may know better than I do, so I'd prefer to eventually defer. I appreciate the learning opportunity for when I'll be serving as an editor in the future!

First, RFC 2119 Section 6 (and the IESG statement [1]) mandates to only use uppercase key words when "actually required for interoperation or to limit behavior which has potential for causing harm". The RFC itself details:

    ... potential for causing harm (e.g., limiting retransmisssions)  For
    example, they must not be used to try to impose a particular method
    on implementors where the method is not required for
    interoperability.

In this context, it seems to me that your view (~"30 minutes TTL don't cause an interoperability issue, so uppercase is inappropriate") is not compelling. For example, a higher TTL does have a slight risk of causing retransmissions, namely when the new DS record set is botched and causes SERVFAILs on lookups, which are not cacheable and will cause look-up retries. When the DS TTL is set to 5-15 minutes instead of 30, there will be less retries, as a correction to the DS RRset will be visible more quickly. The DNSOP WG has determined that 5-15 is the best, albeit not the only choice to address this risk. Yet, there is no interoperability issue when deviating a bit.

The IESG statement [1] also has a section on "Common Additional Uses of Key Words" which endorses use of uppercase key words for operational requirements, and the 5-15' recommendation arguably is an operational (soft) requirement and not just an opinion (that is, "it's best done this way").

To reiterate, this is my understanding, but I may not have the full picture across IETF areas.

[1]: https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/


Our discussion made me reconsider an earlier change I had confirmed in https://mailarchive.ietf.org/arch/msg/dnsop/bO0CX4FPyS907p0HZLF5Xilxbdo/, namely that the reporting recommendations in Section 5.1 should be lowercased.

That was based on the insight that, as you pointed out, reporting is not an interoperability requirement. However, the "Common Additional Uses of Key Words" section of [1] explicitly lists:

	- Operational requirements, especially around mandatory logging
	  and configuration needed to produce successful deployments

It seems to me that reporting is pretty much the same as logging, except to a different party (namely, the child operator, the registrant and the like). The guidance in the IESG's statement is not limited to actual logging, it only names it especially, yet as an example. Section 5.1 thus appears appropriately covered by this clause. As a result, I've reverted this change.

As above, I'm not objecting to making any changes if I'm in the rough; I just don't know whether I am.

>>> Also, is "normal TTL value" the previous TTL value? If not, what does that mean?
>>
>> The "normal TTL value" is indeed the "previous" one when an update is applied. However, for DS initialization, there is no previous one, so the term would only capture updates.
>>
>> Happy to change to a better adjective if it's not clear (pls let me know if you have another suggestion). OTOH, this was widely reviewed in the DNS and registry space (e.g., CENTR, APTLD, DNS OARC) and it seems like the use of "normal" was generally clear to the intended audience.
> 
> Some could have interpreted it as the previous value and others the default value by policy. I think it is best to be explicit. Perhaps "previous TTL value or default TTL value absent a previous value".

Sounds great. I've noted down the following change for the next revision:

OLD
    restore the normal TTL value

NEW
    restore the previous (or, if unavailable, default) TTL value

>>> #### Both CDNSKEY and CDS
>>>
>>> 246        3.  DNS operators SHOULD publish both CDNSKEY and CDS records, and
>>> 247            follow best practice for the choice of hash digest type
>>> 248            [DS-IANA].
>>>
>>> Section 4.2.3 does a good job of explaining why both CDNSKEY and CDS are
>>> needed, so it seems the justification here is a MUST. In other words, if you
>>> want to interoperate, the operator MUST do this otherwise there is likely to be
>>> a problem.
>>
>> There is no problem if the child operator knows which type of update format (CDS or CDNSKEY) the parent consumes. There would only be a problem if the parent insisted on both being published. Indeed, that provision was part of the draft, but was removed in -01 due to argument that it's not a good idea to reject an update just because a redundant format is missing.
>>
>> A written record of this argument can be found at https://mailarchive.ietf.org/arch/msg/dnsop/ObpPwt5_HrmsPXE3dG8CrJUP9mg/; more feedback in that direction was gathered during an in-person workshop at DNS OARC 45.
>>
>> Given these points, it seems not generally required for interoperability to publish both CDS and CDNSKEY, although if you do so you can be agnostic about the parent's preference and avoid certain risks. But, if you know what you're doing and what the parent expects, the risk goes away. Hence the SHOULD.
>>
>> See also https://mailarchive.ietf.org/arch/msg/dnsop/Uv-oyqj-gp1dlfPIofct22Ijqo0/.
> 
> Why can't the guidance be more explicit? "Unless the child and parent have agreed upon using either CDS or CDNSKEY, DNS operators MUST publish both CDNSKEY and CDS."

Such agreement is not to be expected in practice, as domain registries generally do not have any sort of agreement with DNS child operators. There may be rare exceptions (which "SHOULD" would accommodate), but the registry's preferred ingestion format is normally published in their DNSSEC Practice Statement.

Additionally, such agreements are something to actually advise against, because they ossify expectations and prevent the registry to change their preferred format later. If either CDS or CDNSKEY are eventually deprecated (and removing this dichotomy would be a good thing), at least some registries would have to make that change, and agreements like the above would stand in the way. (That's why my point earlier was on the child operator "knowing" the preference, such as from a DNSSEC Practice Statement, not the registry committing to it in an agreement.)

Aren't the risks a child operator might be incurring covered by the sentence you proposed in https://mailarchive.ietf.org/arch/msg/dnsop/8hgHnyVsxVYSyGcn6oBUJT9GGzo/? I've already added this for the next revision:

    When implementing these recommendations, operators MUST mitigate
    issues arising from any particular deviation.

>>> #### SHOULD NOT initialize
>>>
>>> 675        5.  In the RRR model, a registry SHOULD NOT automatically initialize
>>> 676            DS records when it is known that the registrar does not provide a
>>> 677            way for the domain holder to later disable DNSSEC.  If the
>>> 678            registrar has declared that it performs automated DS maintenance,
>>> 679            the registry SHOULD publish the registrar's [RFC9859]
>>> 680            notification endpoint (if applicable) and refrain from registry-
>>> 681            side DS automation.
>>>
>>> Under what conditions are violating these SHOULD NOT/SHOULD acceptable?
>>> If there are conditions for doing so, the document should attempt to describe
>>> those conditions. Otherwise, aren't these MUST NOT and MUST?
>>
>> It's a little complicated. First, about the SHOULD NOT:
>>
>> At OARC 45, it was proposed to even remove this provision, because a registrant can always change registrars when they don't like that their registrar doesn't provide a way to remove a DS record when needed. That's of course not very helpful when you're already locked up in a situation where a DS record has been provisioned, and now you can't get rid of it. I'm pointing this out to illustrate that this recommendation itself (independently of which normative word is used) has only rough consensus.
>>
>> At OARC 45, it was also discussed to tighten this recommendation. This was deemed unrealistic by registries as there is no protocol for a registry to discover whether a registrar provides a channel for removing a DS record. It seems impossible to design such a protocol that would be more likely to be adopted by registrars than the DS-removal channel itself. Registries present in the room therefore clearly stated that they don't want to be responsible for missing knowledge about which registrar is defective in that sense, and a tighter version did not find consensus.
> 
> There may not be a protocol, but there is a relationship between registries and registrars. They exchange money, credentials, allow lists, etc... so there is an opportunity for a registry to learn this about the registrar.

I agree with this, and I wish that such alignment could be reliably achieved. However, doesn't it seem unlikely that a registrar who's unreliable enough to not provide a DS removal mechanism would make the effort to tell all of their contracted registries about that?

>> OTOH, in the gTLD space, registrars are contractually obliged to provide a DS provisioning channel (which I think includes removal), so this recommendation really applies in the ccTLD space only. The scope of this recommendation (and the consequences of it being suboptimal in a way) therefore is not as broad as it might seem at first sight. The SHOULD is supposed to be a strong technical hint ("undesirable stuff happening if you don't adhere!") that takes the above consensus complications into account.
> 
> IMHO, this is a MUST NOT as DS automation interoperation can be harmed (assuming removing DS records is a requirement for DS automation). The only reason I can think that the guidance is SHOULD NOT would be if the registry has some fore knowledge that the registrant would never disable DNSSEC.... and that seems implausible.

That's correct.

I now realize that the recommendation in question says that a registry ought not to automatically initialize DS records "when it is known" that the registrar doesn't provide a way back.

Given that this is hedged with "when it is known", I now think that "MUST NOT" is indeed appropriate: Registries who don't know about that obviously can't do much (until they are told about the registrar's lacking DS-removal mechanism), but once they know, there indeed seems to be little excuse for them to not care.

So, I'll stop talking about the "how to know" complications, and have turned the "SHOULD NOT" into a "MUST NOT".

>> As for the SHOULD, no problems are expected if the registry does not publish the RFC9859 notification endpoint. In that case, the registrar may do CDS/CDNSKEY scanning [1][2] and all is fine. Notifications only offer a timing advantage. There is also no problem if the registry does not stop DS automation while the registrar does so as well, as DS updates are idempotent. Parallel automation therefore is unnecessary and wasteful, but not strictly an interoperability problem. For details, see Section 7.2.3 of the draft.
>>
>> Examples of registrars doing CDS/CDNSKEY scanning:
>> [1] hourly: https://docs.glauca.digital/domains/cds/
>> [2] daily: https://domainname.shop/faq?id=395&section=7
> 
> Given your explanation, the SHOULD does not seem to be normative.

I think this falls under the "limiting retransmissions" provision of RFC 2119 Section 6, but again defer to others -- if the IESG think this should not be uppercase, I'll of course apply the change.

>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
[...]
>>> ### RDAP TTLs
>>>
>>> 410        5.  The currently active DS configuration SHOULD be made accessible
>>> 411            to the registrant (or their designated party) through the
>>> 412            customer portal available for domain management.  The DS update
>>> 413            history MAY be made available in the same way.
>>>
>>> https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-ttl-extension/ is also
>>> a good way to make the currently active TTL values available to the registrant
>>> or their designated party.
>>
>> I will make a note in Section 5.2. My impression is that publicly stating the TTL policy would belong into DNSSEC Practice Statements, so I'd be reluctant to include it as a recommendation.
> 
> I agree. That is only informative, as is all of item 5.
I beg to disagree: As mentioned above, uppercase key words are fine "to limit behavior which has potential for causing harm". Operational harm is certainly imaginable when a registrant can't inspect their current configuration after it has been changed through DS automation, and the registrant wrongly assumes a different state while operating their nameserver (I'll be happy to come up with some specific instances where that could play a role).

Similarly, inspection of the DS history may help prevent operational harm by detecting when the registrar was hijacked and the adversary adjusted the DS RRset and then changed them back. (Several instances of that are known, will be happy to provide references.) Thus, I think BCP14 key words are actually appropriate for item 5.

As usual, I'll be happy to be in the rough if the IESG has a different view, and will be applying all changes you guys find consensus for.

Thanks again for arguing with me,
Peter