On Tue, Feb 22, 2022 at 7:26 AM libor.peltan <libor.peltan(a)nic.cz> wrote:
Hi Matt,
thanks much for the idea! (And pretty description.)
The problematic is slightly more complicated, as there might be
desirable DSs that are not part of published CDS set (e.g. multi-signer
setup), but I was able to improve this in the hopefully best way. We
will release the enhancement in some of next Knot DNS versions.
Ah yes, I can see how it would be necessary to leave _some_ unmatched
DS records sometimes, so my suggestion wasn't quite right. It should
be possible for Knot to determine whether leaving any individual DS in
place would put the zone in a bad place, though (like having
mismatched algorithms) and could block progress in those cases.
Sounds like that's close to what you're doing?
Thanks for responding so fast!
Matt