GitLab

This issue is a list of enhancements to dnssec-checkds intended to support automatic KSK rollovers.

The context for this is that dnssec-keymgr needs to have an interlock in the KSK rollover process to make sure the parent zone is up-to-date before dnssec-keymgr proceeds to make any potentially breaking changes. The current manual page sensibly suggests using dnssec-checkds for this purpose.

I intend to work on these features; this issue is for sketching out what I plan to work on and for refining the plan.

CDS / CDNSKEY support

At the moment, dnssec-checkds is unaware of CDS and CDNSKEY records.

It should be improved so that (in its normal mode of operation) dnssec-checkds will verify that the parent DS records match the child's CDS records. Unlike the current behaviour (which checks the delegation works, rather than being consistent) no differences will be permitted.

The idea is that CDS records are used to communicate the rollover state from dnssec-keymgr to dnssec-checkds, so dnssec-checkds only needs to look at the DNS, not at the keys on disk.

DS digest algorithm control

At the moment, dnssec-checkds expects both SHA-1 and SHA-256 DS digests. This should be amended to SHA-256 only by default.

When dnssec-checkds is comparing DS records against CDNSKEY or DNSKEY RRsets, it should be possible for the invoker to specify algorithms that must be present, or must not be present, or no preference.

Recursive vs authoritative lookups

At the moment, dnssec-checkds queries via the default recursive server. There is a risk that it will get a falsely positive answer if there is a large propagation delay between parental authoritative servers, but the local resolver happens to be talking to a parental server with a low delay.

In authoritative mode, dnssec-checkds should get the list of parent servers from the local resolver, then query each of them, and ensure they all give the OK.