[Opendnssec-develop] The ds-* commands in Enforcer NG

Rickard Bellgrim rickard at opendnssec.org
Mon Sep 12 08:52:54 UTC 2011


I noticed that two new commands has been added to Enforcer NG, "key
ds-retract" and "key ds-gone". Are those needed? For the purpose of
DNSSEC, it does not matter if you have old DS RRs in the parent zone.
As long as you have one valid DS. So we do not need to track the old
DS RRs. It is implicit that the user remove the old DS RR, because its
DNSKEY is not included in the "key export" or in the DSSubmitCommand.

// Rickard

More information about the Opendnssec-develop mailing list