[Opendnssec-user] Version 1.1.0 and KSK rollover logic
pierre.lebrech at laposte.net
Tue Jul 6 15:31:07 UTC 2010
OK, good idea. But some parent zones holders check to see if the
corresponding DNSKEY is present in the child zone before accepting
DS records. I have DLV in mind... So in this scenario, DS records can
not be submitted.
On Tue, Jul 06, 2010 at 01:52:58PM +0100, Sion Lloyd wrote:
> > I have 3 test zones and each has an active KSK and a dsready KSK.
> > dsready KSK is labelled "When required". If I look in the zonefile, I
> > cannot see this DNSKEY. The only KSK I can find is the active one.
> > What this dsready state should mean? In ODS 1.0, this state didn't
> > exist. Before the ready state, there was a published state.
> The key in the DSREADY state is the standby key. It has had its DS record
> submitted to the parent but is not being published in the zone yet. It will
> not be published until it is going to be used.
> The idea is that if the key is needed in an emergency the shortest timescale
> that it can be used in is the publication through the child system. (It is
> imagined that dealing with the parent zone is the slower of the two.)
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
More information about the Opendnssec-user