[dnssec-coord] TLD's/Registrars interested in Automated CDS/CDNSKEY with CDS0 support

Ólafur Guðmundsson olafur at cloudflare.com
Fri Aug 31 13:00:59 PDT 2018


This is great and I like your aggressive acceptance policy.

Anyone else?

Ólafur

sent from phone

On Wed, Aug 29, 2018, 18:41 Oli Schacher <oli.schacher at switch.ch> wrote:

> SWITCH is implementing RFC7344 / RFC8078 support for .ch and .li
>
> Our current acceptance criteria for initial trust are:
>
>  - Must publish CDS ( we ignore CDNSKEY )
>  - Must publish static CDS RRSET for at least three consecutive days
>  - CDS RRSET must be consistent on all glue NS IPs
>  - Zone must validate using the new DS RRSET
>
> The scan runs daily and performs all requests over TCP. Also the scan is
> performed from two locations and the initial trust is only considered if
> both locations return the same CDS rrset. "Consecutive days" only count
> if the scan ran successfully. Changes to the DS over EPP have preference
> and reset all CDS processing counters.
>
> --
> Oli
>
> SWITCH DNS Operations
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20180901/eff58ab4/attachment.html>


More information about the dnssec-coord mailing list