dnssec-checkds KSK rollover enhancements
This issue is a list of enhancements to dnssec-checkds
intended to support automatic KSK rollovers.
The context for this is that dnssec-keymgr
needs to have an interlock in the KSK rollover process to make sure the parent zone is up-to-date before dnssec-keymgr
proceeds to make any potentially breaking changes. The current manual page sensibly suggests using dnssec-checkds
for this purpose.
I intend to work on these features; this issue is for sketching out what I plan to work on and for refining the plan.
CDS / CDNSKEY support
At the moment, dnssec-checkds
is unaware of CDS and CDNSKEY records.
It should be improved so that (in its normal mode of operation) dnssec-checkds
will verify that the parent DS records match the child's CDS records. Unlike the current behaviour (which checks the delegation works, rather than being consistent) no differences will be permitted.
The idea is that CDS records are used to communicate the rollover state from dnssec-keymgr
to dnssec-checkds
, so dnssec-checkds
only needs to look at the DNS, not at the keys on disk.
DS digest algorithm control
At the moment, dnssec-checkds
expects both SHA-1 and SHA-256 DS digests. This should be amended to SHA-256 only by default.
When dnssec-checkds
is comparing DS records against CDNSKEY or DNSKEY RRsets, it should be possible for the invoker to specify algorithms that must be present, or must not be present, or no preference.
Recursive vs authoritative lookups
At the moment, dnssec-checkds
queries via the default recursive server. There is a risk that it will get a falsely positive answer if there is a large propagation delay between parental authoritative servers, but the local resolver happens to be talking to a parental server with a low delay.
In authoritative mode, dnssec-checkds
should get the list of parent servers from the local resolver, then query each of them, and ensure they all give the OK.