Fwd: [Opendnssec-user] Pre-publish DS records?

Rick van Rein rick at openfortress.nl
Fri Feb 13 10:39:28 UTC 2015

Hello Jan-Piet,

> Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short while
> later publish its DS in the parent? Is it also safe to have superflous
> DS records (e.g for DNSKEYs which have long been removed) for a zone in
> that parent?

It ought to be safe, precisely as you stated it — at least one DNSKEY per algorithm
must be found.  One situation where this may occur is during secure domain
transfers, where the DS’s of the old and new situation are stored in the parent.


More information about the Opendnssec-user mailing list