[Opendnssec-develop] Re: DelegationSignerSubmitCommand (was zonefetcher)

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Fri Apr 9 11:02:30 CEST 2010


sion at nominet.org.uk wrote on 09/04/2010 08:14:21:

> > Also, I saw no traces of calls to DelegationSignerSubmitCommand
> > during this process. Shouldn't new keys be submitted immediately?
> 
> When a new zone is added the system will wait for the zone to propagate
> before submitting DS records to the parent. I _think_ that this is 
correct
> behaviour, if I am wrong then please let me know.
> 
> Sion

That's the right behaviour when a key is added to the zone for the first 
time: without such a delay the most pessimistic scenario is that a DS 
record submitted to the parent at the same time gets published 
immediately.  In this case we could end up with a validating resolver 
retrieving the DS record from the parent but accessing a copy of the zone 
from a nameserver that has not yet received the update adding the key. 
Under these circumstances the resolver would report a bogus zone.

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100409/023e5b9c/attachment.html>


More information about the Opendnssec-develop mailing list