[dns-wg] follow up of "Update RIPE's DNS Zonemaster"

On 19.2. 2022 10:54, Nick Cao via dns-wg wrote:
> Strangely, after leaving everything as-is for a day, the rollover has 
> been completed automatically. Guess that it was the mechanism 
> documented in 
> https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns#4--automated-update-of-dnssec-delegations 
> taking effect. However, the same checks would have been applied to 
> this procedure, or was the system using another instance of zonemaster 
> or other software?

Hello Nick,

this was indeed automated update of DS records based on CDS records 
published in your zone. Since this updater works by using RIPE NCC's 
superpowers to edit database objects on your behalf, these superpowers 
also override (or, to be precise, skip) the Zonemaster check. This is 
generally safe as the updater do all the checks prescribed by RFC 7344.

Right now this is really the only way how to automatically upgrade to 
the newest DNSSEC algorithms which are not supported by the current 
version of Zonemaster. Unfortunately I cannot tell you anything about 
why is Zonemaster still not upgraded but hopefully some of my colleagues 
will do.

-- 
Best regards,

Ondřej Caletka
RIPE NCC