[Opendnssec-user] Pre-publish DS records?
jpmens.dns at gmail.com
Fri Feb 13 11:06:20 UTC 2015
> > is it safe to have the DelegationSignerSubmitCommand submit the DS
> > to the parent and mark the KSK with "ds-seen" in one fell swoop?
> This is not safe. OpenDNSSEC might remove your DNSKEY before all
> clients have stopped to rely on it. They might have the old DS on board
> but not the old DNSKEY. The least paranoid cause for this would be
> differences in TTL for the two records.
Of course, yes.
So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS,
schedules process to wait for DS actually in parent, waits a wee bit
longer and then marks ds-seen. Sounds good.
More information about the Opendnssec-user