[Opendnssec-develop] KSK Rollovers

Jakob Schlyter jakob at kirei.se
Mon Jul 13 17:55:05 UTC 2009


On 13 jul 2009, at 11.57, Antoin Verschuren wrote:

> Should a parent check if a DS that is presented to him over a secure  
> channel is the same as in a child zone before entering it into the  
> parent zone, or is that the responsibility of the child ? (bogus in  
> bogus out).

I think it is the responsibility of the child, since the child may  
want to prepublish fingerprints in at the parent.

> If childs frequently check the DS at the parent zone, this could  
> have quite an impact on the parent zone with many childs. Isn't a  
> better mechanism that the parent check their DS against the DNSKEY  
> of the child zone and report about that ? (queries are spread out  
> over more zones and servers)

since the DS is included in every NS response from the parent, I  
believe that the impact of the child own checks are a non-issue. I  
envision the child to query the parent once every day or so, that  
should be enough and not even measurable compared to the normal query  
load.

	jakob




More information about the Opendnssec-develop mailing list