[Opendnssec-user] key ds-seen / Registry Anycast DNS
klaus.mailinglists at pernau.at
Thu Dec 19 09:37:59 UTC 2013
On 19.12.2013 10:16, Volker Janzen wrote:
> I'm currently working on automated KSK rollovers with my registrars API.
> I remember a discussion that it's difficult to say if a DS record can be
> assumed as seen, because with Anycast DNS you cannot check all
> nameservers from your location (or even when using load-balanced
> nameservers, you cannot check all nodes). Does anyone know / can suggest
> how long after a DS update at the registry I should wait before I take
> the DS seen via DNS lookup? E.g. 24 hours?
Generally the expected DS propagation delay depends on the parent domain
operator. If, like in your case, it is a TLD operator, I would suspect
that these people try to have all there name servers in sync and can
resolve issues quite fast. On the other hand, it does not harm to have
an old KSK in zone for some days more than the expected DS propagation
Thus, during "normal" KSK rollovers I use 5 days (to cover out-of-sync
issues over a long weekend / holidays) before I remove the old KSK. In
case of emergency rollovers (key was leaked) you have to decide per case
if it is better to have short delays and risk failing validation vs.
someone can spoof valid answers.
More information about the Opendnssec-user