[Opendnssec-user] Key has gone straight to active use ..

Yuri Schaeffer yuri at nlnetlabs.nl
Mon May 21 08:17:56 UTC 2012

> I think what happend to this zone is; it's DS was published
> automatically just before the NL-zone reloads. The automated 'is DS
> available for $domain in ds-seen state'-checker i wrote found the DS
> active only 15 minutes after it being published and marked the key
> active, way before ODS expected that to happen(??).

'active' means the DS can be used by ODS, i.e. all resolvers have access
to it. This is not imidiatly after publishing it in de NL-zone, these
resolvers have caches which is taken into account by ODS. see [1].

So you have to wait at least the TTL of the DS to know you can safely
use the new DS. Your script _will_ break validation of your domain for
at least some resolvers.

Yuri Schaeffer

[1] https://wiki.opendnssec.org/display/DOCS/Key+States

More information about the Opendnssec-user mailing list