[Opendnssec-user] key ds-seen / Registry Anycast DNS

Klaus Darilion klaus.mailinglists at pernau.at
Thu Dec 19 09:37:59 UTC 2013

On 19.12.2013 10:16, Volker Janzen wrote:
> Hi,
> I'm currently working on automated KSK rollovers with my registrars API.
> I remember a discussion that it's difficult to say if a DS record can be
> assumed as seen, because with Anycast DNS you cannot check all
> nameservers from your location (or even when using load-balanced
> nameservers, you cannot check all nodes). Does anyone know / can suggest
> how long after a DS update at the registry I should wait before I take
> the DS seen via DNS lookup? E.g. 24 hours?

Generally the expected DS propagation delay depends on the parent domain 
operator. If, like in your case, it is a TLD operator, I would suspect 
that these people try to have all there name servers in sync and can 
resolve issues quite fast. On the other hand, it does not harm to have 
an old KSK in zone for some days more than the expected DS propagation 

Thus, during "normal" KSK rollovers I use 5 days (to cover out-of-sync 
issues over a long weekend / holidays) before I remove the old KSK. In 
case of emergency rollovers (key was leaked) you have to decide per case 
if it is better to have short delays and risk failing validation vs. 
someone can spoof valid answers.


More information about the Opendnssec-user mailing list