On Mon, 14 Nov 2016, Benjamin Kaduk wrote:
Section 3 (of RFC 7344) specifies that the absence of a CDS/CDNSKEY record in the child means that no changes are to be made to the DS records in the parent. An attacker that is able to prevent the parent zone's resolvers from seeing the CDS/CDNSKEY records would thus be able to prevent the DS update, a denial of service. One would hope that the DNSSEC-enabled parent zone would use a validating resolver when it queries the child zone, but it is probably worth mentioning explicitly, and the behavior in the error case when the query fails.
If an attacker is messing with your packets and filtering/changing records you will get a DNSSEC error. So if witholding the CDS RRset, your resolver would get a BOGUS or INDETERMINATE answer. And it knows something fishy is going on and it would hopefully try again shortly. It would surely not interpret this as "proof" there is no CDS RRset. Paul