[Opendnssec-user] Pre-publish DS records?

Jan-Piet Mens jpmens.dns at gmail.com
Fri Feb 13 10:36:06 UTC 2015

> Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short while
> later publish its DS in the parent? Is it also safe to have superflous
> DS records (e.g for DNSKEYs which have long been removed) for a zone in
> that parent?

Taking this 1/2 step further: if both parent and child zones are under
control of the same operator, is it safe to have the
DelegationSignerSubmitCommand submit the DS to the parent and mark the
KSK with "ds-seen" in one fell swoop? (Providing at all times there is a
DS/DNSKEY pair which match.)


More information about the Opendnssec-user mailing list