[Opendnssec-user] Pre-publish DS records?

Jan-Piet Mens jpmens.dns at gmail.com
Fri Feb 13 11:06:20 UTC 2015


> > is it safe to have the DelegationSignerSubmitCommand submit the DS
> > to the parent and mark the KSK with "ds-seen" in one fell swoop?

> This is not safe.  OpenDNSSEC might remove your DNSKEY before all
> clients have stopped to rely on it.  They might have the old DS on board
> but not the old DNSKEY.  The least paranoid cause for this would be
> differences in TTL for the two records.

Of course, yes.

So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS,
schedules process to wait for DS actually in parent, waits a wee bit
longer and then marks ds-seen. Sounds good.

Thank you.



More information about the Opendnssec-user mailing list