[Opendnssec-user] Pre-publish DS records?

Jan-Piet Mens jpmens.dns at gmail.com
Fri Feb 13 10:05:01 UTC 2015


When OpenDNSSEC creates a new KSK and publishes it in the zone, it waits
a period before asking an admin to confirm that the DS has been seen in
the parent zone (ds-seen).

Why does it do that, by which I mean, what's the waiting period for
respectively why is the confirmation needed? Just to remove the old key?

RFC 4035, section 2.4 says:

        "A DS RR SHOULD point to a DNSKEY RR that is present in the
        child's apex DNSKEY RRset, and the child's apex DNSKEY RRset
        SHOULD be signed by the corresponding private key.  DS RRs that
        fail to meet these conditions are not useful for validation, but
        because the DS RR and its corresponding DNSKEY RR are in
        different zones, and because the DNS is only loosely consistent,
        temporary mismatches can occur."

I interpret this as meaning it's fine to have DS records without the
matching DNSKEYs provided there is at least one DS with the same
algorithm which *does* have a matching DNSKEY record in the zone.

By rights it's also fine to have DNSKEY records which *don't* have a
corresponding DS in the parent.

The reason I'm asking is, I'd like to automate as much as possible and
avoid as much human error^W interaction as possible.

Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short while
later publish its DS in the parent? Is it also safe to have superflous
DS records (e.g for DNSKEYs which have long been removed) for a zone in
that parent?

Thanks for clarifying. Regards,


More information about the Opendnssec-user mailing list