[Opendnssec-user] newbie question regarding DS and ds-seen
Casper Gielen
c.gielen at uvt.nl
Tue Dec 18 16:06:13 UTC 2012
Op 18-12-12 16:50, Eliot Lear schreef:
> Hi,
>
> A couple of questions:
>
> 1. SWITCH pretty much requires that for the .CH domain DS records be
> published in the child zone. With opendnssec I can kludge this a bit by
> not having rndc kick the server after a roll, but it's a kludge. Any
> way to include DS records in the output generation for the zone file?
>
> 2. It is possible to get a DS into a parent zone while the state is in
> "Publish". What's the hazard in doing so?
1. Applying DNSSEC to a child zone without updating the parent zone is
fine, your DNSSEC records will simply be ignored.
2. Putting the DS in the parent before enabling the child is dangerous,
you zone will not be visible on the internet until you enable DNSSEC.
Just isssue the ds-seen command, it doens't matter for a new domain that
has not been on DNSSEC before. Nobody will use your records until the DS
is published by the parent but that's ok.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list