[Opendnssec-user] Pre-publish DS records?

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Feb 13 10:48:22 UTC 2015

Hash: SHA1

Hi Jan-Piet,

> When OpenDNSSEC creates a new KSK and publishes it in the zone, it
> waits a period before asking an admin to confirm that the DS has
> been seen in the parent zone (ds-seen).
> Why does it do that, by which I mean, what's the waiting period
> for respectively why is the confirmation needed? Just to remove the
> old key?

Yes the confirmation is needed to know when it is safe to remove the
old DNSKEY. Once ODS knows when the DS is first published (and thus
the old DS removed) it can calculate when it can be sure no cache
holds *only* the old DS.

If it wouldn't we could end up with a situation where a resolver sees
only DS_a and only DNSKEY_b. Which would obviously break DNSSEC.

As for the waiting period, this is probably the
Parent/PropagationDelay in the KASP? An estimate how long it will take
for a DS to be published at the parent once submitted. This is, if I'm
not mistaken, precisely done for automation purposes. Where you don't
actually check for a ds-seen but just wait long enough for it to be
very likely the record propagated. (This is *not* a good idea IMHO)

> Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short
> while later publish its DS in the parent? Is it also safe to have
> superflous DS records (e.g for DNSKEYs which have long been
> removed) for a zone in that parent?

As long as you are not rolling algorithms (the current release can't
do that anyway) this is perfectly safe.

Version: GnuPG v1


More information about the Opendnssec-user mailing list