On Mon, 14 Nov 2016, Benjamin Kaduk wrote:
Section 3 (of RFC 7344) specifies that the absence of a CDS/CDNSKEY record
in the child means that no changes are to be made to the DS records in the
parent. An attacker that is able to prevent the parent zone's resolvers
from seeing the CDS/CDNSKEY records would thus be able to prevent the DS
update, a denial of service. One would hope that the DNSSEC-enabled
parent zone would use a validating resolver when it queries the child
zone, but it is probably worth mentioning explicitly, and the behavior
in the error case when the query fails.
If an attacker is messing with your packets and filtering/changing
records you will get a DNSSEC error. So if witholding the CDS RRset,
your resolver would get a BOGUS or INDETERMINATE answer. And it knows
something fishy is going on and it would hopefully try again shortly.
It would surely not interpret this as "proof" there is no CDS RRset.
Paul