Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Csync implementation for cdnskey records #658

Closed
vohmar opened this issue Dec 18, 2017 · 1 comment · Fixed by #1603
Closed

Csync implementation for cdnskey records #658

vohmar opened this issue Dec 18, 2017 · 1 comment · Fixed by #1603
Assignees
@karlerikounapuu
Labels
enhancement

Comments

@vohmar
Copy link
Contributor

vohmar commented Dec 18, 2017

The automated parent-child dnskey synchronization.

Goal is to scan .ee zone and update it automatically with new dnssec key information.

  1. scan the whole zone every day
  2. if new key is found or some key removed
    2.1. if signed domain update immediately
    2.2. if unsigned domain monitor for n days and if data remains unchanged update zone
  3. domain contacts must be informed if changes in dnskey material has been found (automated email)
  4. domain contacts must be informed if changes are made in zone (automated email)
  5. registrar must be informed when changes are made to their domain (epp change poll)

CSYNC: https://tools.ietf.org/html/rfc7477
Automating DNSSEC Delegation Trust Maintenance: https://tools.ietf.org/html/rfc7344
Managing DS Records from the Parent via CDS/CDNSKEY: https://tools.ietf.org/html/rfc8078
Change poll draft: https://tools.ietf.org/html/draft-ietf-regext-change-poll-04

cdnskey-scanner: https://github.com/CZ-NIC/cdnskey-scanner

Things to discuss before development:

  • how to update zone - cron/repp/ruby call/...
  • number of days new key material has to stay unchanged in ns to consider it safe to add to zone - 7/4/3
    • is it OK to skip previous rule for new registrations - for how long can a domain be registered to be counted as new for this rule (ie 1 hour)
  • how to keep track of domains under change monitoring (before zone is updated)
    • what happens if NS is unreachable (wait for next scan/schedule new scan/remove from monitoring)
  • opt out? - for registrars (ie they want to scan their domains them selves) and registrants (registry lock?)
@karlerikounapuu karlerikounapuu self-assigned this Jun 2, 2020
@vohmar
Copy link
Contributor Author

vohmar commented Jun 5, 2020

this is Switch (cctld of Switzerland) documentation for CSYNC/CDS: https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf. There are most inportant points laid out - most notably acceptance criteria what to check and what should be configurable like supported algortihms. Also they have laid out their change poll solution for notifying regstrars about chnages that we should also implement - simple free text form of poll message might not be enough here.

@karlerikounapuu karlerikounapuu mentioned this issue Jun 8, 2020
Merged
5 tasks
@karlerikounapuu karlerikounapuu mentioned this issue Jul 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karlerikounapuu karlerikounapuu

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement Csync for CDNSKEY internetee/registry
3 participants
@teadur @vohmar @karlerikounapuu