[Opendnssec-user] Pre-publish DS records?
Jan-Piet Mens
jpmens.dns at gmail.com
Fri Feb 13 10:05:01 UTC 2015
Hello,
When OpenDNSSEC creates a new KSK and publishes it in the zone, it waits
a period before asking an admin to confirm that the DS has been seen in
the parent zone (ds-seen).
Why does it do that, by which I mean, what's the waiting period for
respectively why is the confirmation needed? Just to remove the old key?
RFC 4035, section 2.4 says:
"A DS RR SHOULD point to a DNSKEY RR that is present in the
child's apex DNSKEY RRset, and the child's apex DNSKEY RRset
SHOULD be signed by the corresponding private key. DS RRs that
fail to meet these conditions are not useful for validation, but
because the DS RR and its corresponding DNSKEY RR are in
different zones, and because the DNS is only loosely consistent,
temporary mismatches can occur."
I interpret this as meaning it's fine to have DS records without the
matching DNSKEYs provided there is at least one DS with the same
algorithm which *does* have a matching DNSKEY record in the zone.
By rights it's also fine to have DNSKEY records which *don't* have a
corresponding DS in the parent.
The reason I'm asking is, I'd like to automate as much as possible and
avoid as much human error^W interaction as possible.
Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short while
later publish its DS in the parent? Is it also safe to have superflous
DS records (e.g for DNSKEYs which have long been removed) for a zone in
that parent?
Thanks for clarifying. Regards,
-JP
More information about the Opendnssec-user
mailing list