[dnssec-coord] TLD's/Registrars interested in Automated CDS/CDNSKEY with CDS0 support

Oli Schacher oli.schacher at switch.ch
Tue Aug 28 23:40:15 PDT 2018


SWITCH is implementing RFC7344 / RFC8078 support for .ch and .li

Our current acceptance criteria for initial trust are:

 - Must publish CDS ( we ignore CDNSKEY )
 - Must publish static CDS RRSET for at least three consecutive days
 - CDS RRSET must be consistent on all glue NS IPs
 - Zone must validate using the new DS RRSET

The scan runs daily and performs all requests over TCP. Also the scan is
performed from two locations and the initial trust is only considered if
both locations return the same CDS rrset. "Consecutive days" only count
if the scan ran successfully. Changes to the DS over EPP have preference
and reset all CDS processing counters.

-- 
Oli

SWITCH DNS Operations


More information about the dnssec-coord mailing list