[Opendnssec-user] Version 1.1.0 and KSK rollover logic
jakob at kirei.se
Wed Jul 7 07:37:30 UTC 2010
On 6 jul 2010, at 22.12, Duane Wessels <dwessels at verisign.com> wrote:
> The root zone also requires the DNSKEY to be present in the child zone.
> see http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf
> At the time of the trust anchor request, there must be a DNSKEY
> that matches the DS record present in the child zone.
This is not always true - if a zone wants to pre-publish a DS as part of a key rollover, it is possible to do that. One should be able to show that this introduces no harm though.
More information about the Opendnssec-user