From f088657eb1e836b1e9900c71f07ef8e803606ec6 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 12 Apr 2022 15:26:18 +0200 Subject: [PATCH] Add CDS/CDNSKEY DELETE documentation Mention in the DNSSEC guide in the "revert to unsigned" recipe that you can publish CDS and CDNSKEY DELETE records to remove the corresponding DS records from the parent zone. --- doc/dnssec-guide/recipes.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index 8f19e819d0..8a9f6ec2fc 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -1067,6 +1067,12 @@ Below is an example showing how to remove DS records using the Revert to Unsigned Step #4 +If your parent allows managing DS record via CDS/CDNSKEY, as described in +:rfc:`5155`, you could add CDS/CDNSKEY DELETE records in your zone to signal +that the corresponding DS records from the parent zone needs to be removed. +If it is unclear which format the parent zone is expecting, you should publish +both CDS and CDNSKEY DELETE records. + To be on the safe side, wait a while before actually deleting all signed data from your zone, just in case some validating resolvers have cached information. After you are certain that all cached @@ -1099,7 +1105,8 @@ Then use :option:`rndc reload` to reload the zone. The "insecure" policy is a built-in policy (like "default"). It will make sure the zone is still DNSSEC maintained, to allow for a graceful transition to -unsigned. +unsigned. It also publishes the CDS and CDNSKEY DELETE records for you when +the time is right. When the DS records have been removed from the parent zone, use :option:`rndc dnssec -checkds -key id withdrawn example.com ` to tell :iscman:`named` that