[Opendnssec-user] key ds-seen / Registry Anycast DNS

Klaus Darilion klaus.mailinglists at pernau.at
Thu Dec 19 15:17:33 UTC 2013

On 19.12.2013 14:07, Volker Janzen wrote:
> <Parent>
>    <PropagationDelay>PT9999S</PropagationDelay>
>    <DS>
>      <TTL>PT3600S</TTL>
>    </DS>
>    <SOA>
>      <TTL>PT172800S</TTL>
>      <Minimum>PT10800S</Minimum>
>    </SOA>
> </Parent>
> And I think this does not match all TLD policies (found already DS
> records that are valid for 86400 seconds at TLD level. I'll now check
> the TLDs I want to use and use the maximum TTL for the specified values.
> In this case I'm able to just check for the DS to be found, call
> ds-seen and that should be enough to do

9999 seconds are IMO a bit low - if a name server of the parent zone is 
~3 hours behind, validation may fail. I think 3 hours of "out-ofsync" 
may happen also for TLDs.

Unfortunately I do not know how the parents SOA TTL+Minimum influences 
the rollover. Maybe someone can enlighten us.


More information about the Opendnssec-user mailing list