[Opendnssec-user] key ds-seen / Registry Anycast DNS

Klaus Darilion klaus.mailinglists at pernau.at
Thu Dec 19 12:54:03 UTC 2013



On 19.12.2013 13:25, Volker Janzen wrote:
> I'm using the DelegationSignerCommand to get notified, if OpenDNSSEC
> wants me to do an update on a domain. This currently triggers a domain
> update (by a simple script) with my domain registrar. The command gets
> exactly one DNSKEY (the new one). From this point of view, the workflow
> does not allow the old DS to persist in the parent zone, because I'm not
> told there should be two DNSKEY entries and there will be no second call
> to the DelegationSignerCommand command either to tell me to finally
> remove the old DS. BTW: it's a pity that there is no call when setting
> the initial DNSKEY, too.

There is no need to have 2 DS in the parent zone. With double-signature 
it is fine to have only one DS in the parent zone. You just have to make 
sure that the old KSK is still in the zone and used to sign the DNSKEYs 
for TTL-of-DS + propagation-delay-parent-zone.

AFAIK these values can be configured in kasp.xml. Therefore I suspect 
that ODS keeps the old KSK after "ds-seen" for at least this time.

                 <Parent>
                         <PropagationDelay>XXXX</PropagationDelay>
                         <DS>
                                 <TTL>XXX</TTL>
                         </DS>
                         <SOA>
                                 <TTL>XXXX</TTL>
                                 <Minimum>XXXX</Minimum>
                         </SOA>
                 </Parent>

regards
Klaus



More information about the Opendnssec-user mailing list