[Opendnssec-user] key ds-seen / Registry Anycast DNS

Volker Janzen voja at voja.de
Thu Dec 19 13:07:29 UTC 2013

Hi Klaus,

> There is no need to have 2 DS in the parent zone. With
> double-signature it is fine to have only one DS in the parent zone.
> You just have to make sure that the old KSK is still in the zone and
> used to sign the DNSKEYs for TTL-of-DS +
> propagation-delay-parent-zone.

you're right. That's why I only get one DNSKEY. The zone is signed with
both keys, it's enough that one is valid at the TLD level to keep the
chain. The double signature is kept until the TTLs expired.
> AFAIK these values can be configured in kasp.xml. Therefore I suspect
> that ODS keeps the old KSK after "ds-seen" for at least this time.

Thanks for pointing me to this. I kept the defaults:


And I think this does not match all TLD policies (found already DS
records that are valid for 86400 seconds at TLD level. I'll now check
the TLDs I want to use and use the maximum TTL for the specified values.

In this case I'm able to just check for the DS to be found, call
ds-seen and that should be enough to do.


More information about the Opendnssec-user mailing list