[Opendnssec-develop] Re: DelegationSignerSubmitCommand (was zonefetcher)
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Fri Apr 9 09:02:30 UTC 2010
sion at nominet.org.uk wrote on 09/04/2010 08:14:21:
> > Also, I saw no traces of calls to DelegationSignerSubmitCommand
> > during this process. Shouldn't new keys be submitted immediately?
>
> When a new zone is added the system will wait for the zone to propagate
> before submitting DS records to the parent. I _think_ that this is
correct
> behaviour, if I am wrong then please let me know.
>
> Sion
That's the right behaviour when a key is added to the zone for the first
time: without such a delay the most pessimistic scenario is that a DS
record submitted to the parent at the same time gets published
immediately. In this case we could end up with a validating resolver
retrieving the DS record from the parent but accessing a copy of the zone
from a nameserver that has not yet received the update adding the key.
Under these circumstances the resolver would report a bogus zone.
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100409/023e5b9c/attachment.htm>
More information about the Opendnssec-develop
mailing list