use CDS records in dnssec-checkds
The only standard way to know what a zone's DS records should be is to look at its CDS/CDNSKEY records. There are software-specific ways that inspect the signer's key store. And by itself the DNSKEY RRset is not enough during a rollover.
This patch series adds support for child-side DS management, for use by delegation update scripts, such as registrar API clients.
These scripts can use dnssec-dsfromkey -k -f
to get the expected DS records from a zonefile (or just the DNSKEY, CDNSKEY, and CDS records) without having to reimplement the logic themselves (e.g. skipping revoked keys, skipping SHA-1, etc.)
And dnssec-checkds
uses this new mode to correctly check consistency during rollovers.
Edited by Tony Finch