Clarifications on CDS/CDNSKEY and CSYNC Consistency
draft-ietf-dnsop-cds-consistency-11
Yes
No Objection
Erik Kline
Gunter Van de Velde
Jim Guichard
Ketan Talaulikar
Orie Steele
Note: This ballot was opened for revision 09 and is now closed.
Éric Vyncke
Yes
Comment
(2025-11-19 for -09)
Sent
TL;DR: this ballot as no comment, only thank you messages # Éric Vyncke, INT AD, comments for draft-ietf-dnsop-cds-consistency-09 CC @evyncke Thank you for the work put into this document. Special thanks to Ondřej Surý for the shepherd's detailed write-up including the WG consensus *and* the justification of the intended status. Other thanks to David Blacka, the DNS directorate reviewer, and I have seen the author's reply: https://datatracker.ietf.org/doc/review-ietf-dnsop-cds-consistency-09-dnsdir-lc-blacka-2025-10-23/ I hope that this review helps to improve the document, Regards, -éric
Mohamed Boucadair
Yes
Comment
(2025-11-04 for -09)
Not sent
Please note that although RFC7344 was initially published as Informational, the status was changed since then to Standards Track (see https://datatracker.ietf.org/doc/status-change-rfc7344-from-informational-to-standards-track/)
Paul Wouters
Yes
Comment
(2025-11-17 for -09)
Sent
I did not raise my comments to the level of DISCUSS, but it would be good to have a discussion
on these items. I do believe it is always better to insist on consistencies, hence not raising
these to discuss level.
Readers are expected to be familiar with DNSSEC, including [RFC4033], [RFC4034], [RFC4035], [RFC7344], and [RFC7477],
Note the canonical reference for DNSSEC these days is RFC9364. As that draft states:
One purpose is to introduce all of the RFCs in one place so that the reader can understand
the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose
is to state that using DNSSEC for origin authentication of DNS data is the best current practice.
A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.
So that seems to exactly match the use here.
During initial DS provisioning (DNSSEC bootstrapping), conventional DNSSEC validation for
CDS/CDNSKEY responses is not (yet) available; in this case, authenticated bootstrapping ([RFC9615])
should be used.
Or a regular EPP method can be used instead of trying to bootstrap through DNS.
who may then inadvertently break the chain of trust by prematurely removing a DNSKEY still referenced
by a (stale) CDS/CDNSKEY RRset.
I am confused here. How can one "prematurely" remove a DNSKEY that is referenced by a (stale)
CDS/CDNSKEY ?? I think you mean "accidentally" remove a newly introduced DNSKEY that is not
referenced by a (stale) CDS/CDNSKEY?
In particular, the rogue nameserver can publish CDS/CDNSKEY records. If those are processed
by the parent without ensuring consistency with other authoritative nameservers, the
delegation will, with some patience, get secured with the attacker's DNSSEC keys.
Note as per RFC7344 this cannot happen. CDS/CDNSKEY records MUST validate before being processed,
or covered via an alternative method:
The following acceptance rules are placed on the CDS and CDNSKEY
resource records as follows:
o Location: MUST be at the Child zone apex.
o Signer: MUST be signed with a key that is represented in both the
current DNSKEY and DS RRsets, unless the Parent uses the CDS or
CDNSKEY RRset for initial enrollment; in that case, the Parent
validates the CDS/CDNSKEY through some other means (see
Section 6.1 and the Security Considerations).
RFC9516 updates this but also requires another signal in that case:
https://datatracker.ietf.org/doc/html/rfc9615#signaling
Andy Newton
(was Discuss)
No Objection
Comment
(2025-12-11)
Sent
Thanks for all the work on this document.
Deb Cooley
No Objection
Comment
(2025-11-19 for -09)
Not sent
Thanks to Charlie Kaufman for their secdir review. I support Andy Newton's discuss, and Paul Wouter's request for discussion.
Erik Kline
No Objection
Gorry Fairhurst
No Objection
Comment
(2025-11-16 for -09)
Sent
Thanks for this document. I appreciated the examples appendix. It might be helpful to note at the head of the appendix that this is indeed informative.
Gunter Van de Velde
No Objection
Jim Guichard
No Objection
Ketan Talaulikar
No Objection
Mike Bishop
(was Discuss)
No Objection
Comment
(2025-12-03 for -09)
Sent
Retaining my previous points here, since I think some text or an informative reference would be helpful, but the fact that they're understood and being considered in a related draft is enough to clear the DISCUSS. Thank you! ==== In Section 3.2, we see the following text: > CSYNC-based updates may cause validation or even insecure resolution to break (e.g., by changing the delegation to a set of nameservers that do not serve required DNSKEY records or do not know the zone at all). Parental Agents SHOULD check that CSYNC-based updates, if applied, do not break the delegation. Is there a definition of how the Parental Agent "check[s] that ... updates ... do not break the delegation"? I would have expected a more concrete instruction here, such as repeating the same queries on the proposed delegation targets and ensuring that they, too, return records consistent with what was found on the existing nameservers. Perhaps this already exists somewhere and a reference is sufficient? From discussion, it appears that Section 2.2.1 of draft-ietf-dnsop-ds-automation addresses this in more detail. I think what we ultimately want is something like "SHOULD synthesize the new NS, DS, and other records which would be applied if the update were accepted, then verify the existence and valid signature of the DNSKEY record on each nameserver referenced by an NS record in the new set."
Orie Steele
No Objection
Roman Danyliw
No Objection
Comment
(2025-11-19 for -09)
Not sent
Thank you to Vijay Gurbani for the GENART review. I support the DISCUSS position of Andy Newton.