[Opendnssec-user] Pre-publish DS records?

Rick van Rein rick at openfortress.nl
Fri Feb 13 10:41:12 UTC 2015

Hello again,

> Taking this 1/2 step further: if both parent and child zones are under
> control of the same operator, is it safe to have the
> DelegationSignerSubmitCommand submit the DS to the parent and mark the
> KSK with "ds-seen" in one fell swoop? (Providing at all times there is a
> DS/DNSKEY pair which match.)

This is not safe.  OpenDNSSEC might remove your DNSKEY before all
clients have stopped to rely on it.  They might have the old DS on board
but not the old DNSKEY.  The least paranoid cause for this would be
differences in TTL for the two records.


More information about the Opendnssec-user mailing list