Add sub-zone dnskey check on adding new dnskey to a domain #1897
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On EPP/REPP domain update with adding new DNSKEY to domain object we should run the sub-zone check to make sure the key being added matches the key available in the authoritative nameservers. Delayed job should be added for new domain regsitrations and domain updates for configurable delay to check the validity of the trust-chain after the the change is made in registry.
if validation fails for all the host records then remove the key from the .ee zone
if validation fails for some of the hosts then the results should be configurable:
option 1: remove the host record from the .ee zone that does not have the valid dnskey record
option 2: remove the dnskey from .ee zone
Inform registrar via epp poll and domain contacts via email about the changes made to the registration
Key checking utility is available with the CSYNC functionality
Error message to return on failed check:
2308 "Data management policy violation: DNSKEY does not match or not found in the authoritative nameservers"
The text was updated successfully, but these errors were encountered: