Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY

[神明達哉 <jinmei@wide.ad.jp>]

At Thu, 6 Feb 2014 14:13:05 -0500,
Warren Kumari <warren@kumari.net> wrote:

> At time T+3 the child sees that the parent has published the new key
> information ( and the standard keyroll stuff has all happened (records
> are signed with new key, waited for old TTLs to expire, etc)) and so
> wants to remove the old key.
> ** This is, as far as I understand, what you were  asking about)

Yes, and...

> The child now publishes just the new key info. They stop publishing the old one.
> Parent:
>   example.com. 300  IN DS 31589 8 1 123456......
>   example.com. 300  IN DS 31589 8 1 789ABC......
> Child:
>   example.com. 300  IN CDS 31589 8 1 789ABC......
> [ Child is only publishing new record / they stop publishing the old one ]
>
> At time T+4 the parent checks agin (it polls, the human clicks the
> button on the web page, some other trigger happens, etc):
> It sees that what the child has published does not match what the
> parent currently has, and so it copies the contents from the child.
> Parent:
>   example.com. 300  IN DS 31589 8 1 789ABC......
> Child:
>   example.com. 300  IN CDS 31589 8 1 789ABC......
> [ The child and parent are back in sync. The old key (123456...) is no
> longer in use anywhere. ]

...this makes sense, and actually matches what I first thought was the
intent of the draft.  With this clarification I guess my confusion
mainly came from the first sentence of Section 4.1:

   Absence of CDS / CDNSKEY in child signals "No change" to the current
   DS set.

Now I understand this is intended to mean "absence of CDS / CDNSKEY
*RRset*", i.e., absence of any CDS / CDNSKEY.  But it was not super
clear when I first read it and it could also mean the absence
(removal) of this CDS at time T+4

  example.com. 300  IN CDS 31589 8 1 123456......

maybe I was the only person who was confused about this, but it
wouldn't do any harm to clarify the wording.

My original question is now resolved, but I have now another about the
"absence of CDS / CDNSKEY"...

> This means that you can use this to update / replace / remove existing
> DS records (if you have keys A, B, C and D and want to stop using C,
> you simply publish A, B, D), but you cannot remove *all* DS records /
> go unsigned.

This is fine, but technically doesn't it contradict Section 3?

   The CDS / CDNSKEY record is published in the child zone and gives the
   child control of what is published for it in the parental zone.  The
   CDS / CDNSKEY RRset expresses what the child would like the DS RRset
   to look like after the change;

In that, technically, an empty CDS / CDNSKEY RRset should mean the DS
RRset at the parent should be empty.  I have no problem with treating
an empty set as an exception, but I think it would help if the draft
explains that more explicitly.

I'd also note that "absence of CDS" (or CDNSKEY) cannot happen once
one such RR is published, and it should mean something erroneous (most
likely an operation error at the child or a bug in its tool).  I think
it's worth noting in Section 4.1.

Finally, I'd suggest explicitly clarifying that CDS / CDNSKEY cannot
be used for a child from signed to unsigned (since it would have to
remove all CDS / CDNSKEY records to do so).  And, I suspect this is a
"MUST NOT", unlike the case of initial enrollment described in Section
9, because this would break interoperability.

--
JINMEI, Tatuya