Op 18-12-12 16:50, Eliot Lear schreef: > Hi, > > A couple of questions: > > 1. SWITCH pretty much requires that for the .CH domain DS records be > published in the child zone. With opendnssec I can kludge this a bit by > not having rndc kick the server after a roll, but it's a kludge. Any > way to include DS records in the output generation for the zone file? > > 2. It is possible to get a DS into a parent zone while the state is in > "Publish". What's the hazard in doing so?
1. Applying DNSSEC to a child zone without updating the parent zone is fine, your DNSSEC records will simply be ignored. 2. Putting the DS in the parent before enabling the child is dangerous, you zone will not be visible on the internet until you enable DNSSEC. Just isssue the ds-seen command, it doens't matter for a new domain that has not been on DNSSEC before. Nobody will use your records until the DS is published by the parent but that's ok. -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
