1. はじめに
1. はじめに
[RFC7344] automates DNSSEC delegation trust maintenance by having the child publish CDS and/or CDNSKEY records that describe prospective DS parameters. [RFC7477] specifies CSYNC records that indicate desired updates to a delegation's NS and glue records. Parent-side entities such as registries and registrars can use these records to update the corresponding parent-side RRsets.
Querying only one authoritative nameserver works in ideal conditions, but can fail when CDS/CDNSKEY/CSYNC RRsets are inconsistent across authoritative nameservers because of replication lag, KSK rollover, or multi-signer operation [RFC8901]. A single provider in a multi-signer setup should not be able to remove another provider's trust anchors or nameservers from the delegation.
This document requires parent-side entities to ensure plausible consistency across the child's nameservers before acting on CDS/CDNSKEY or CSYNC records. Readers are expected to be familiar with DNSSEC [RFC9364], [RFC4033], [RFC4034], [RFC4035], [RFC7344], and [RFC7477].
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are interpreted as described in BCP 14 [RFC2119] [RFC8174] when they appear in all capitals.
1.2. Terminology
A multi-provider setup is one where several providers independently operate authoritative DNS service for a domain. A multi-signer setup is a multi-provider setup for a DNSSEC-enabled domain with multiple independent signing entities [RFC8901]. Otherwise, terminology follows [RFC7344].