Hello again, > Taking this 1/2 step further: if both parent and child zones are under > control of the same operator, is it safe to have the > DelegationSignerSubmitCommand submit the DS to the parent and mark the > KSK with "ds-seen" in one fell swoop? (Providing at all times there is a > DS/DNSKEY pair which match.)
This is not safe. OpenDNSSEC might remove your DNSKEY before all clients have stopped to rely on it. They might have the old DS on board but not the old DNSKEY. The least paranoid cause for this would be differences in TTL for the two records. -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
