-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan-Piet,
> When OpenDNSSEC creates a new KSK and publishes it in the zone, it > waits a period before asking an admin to confirm that the DS has > been seen in the parent zone (ds-seen). > > Why does it do that, by which I mean, what's the waiting period > for respectively why is the confirmation needed? Just to remove the > old key? Yes the confirmation is needed to know when it is safe to remove the old DNSKEY. Once ODS knows when the DS is first published (and thus the old DS removed) it can calculate when it can be sure no cache holds *only* the old DS. If it wouldn't we could end up with a situation where a resolver sees only DS_a and only DNSKEY_b. Which would obviously break DNSSEC. As for the waiting period, this is probably the Parent/PropagationDelay in the KASP? An estimate how long it will take for a DS to be published at the parent once submitted. This is, if I'm not mistaken, precisely done for automation purposes. Where you don't actually check for a ds-seen but just wait long enough for it to be very likely the record propagated. (This is *not* a good idea IMHO) > Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short > while later publish its DS in the parent? Is it also safe to have > superflous DS records (e.g for DNSKEYs which have long been > removed) for a zone in that parent? As long as you are not rolling algorithms (the current release can't do that anyway) this is perfectly safe. //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlTd1nYACgkQI3PTR4mhavjb0QCeLYNvaBEfQjZG26NRr5yOUcTA i4YAoKNwJgrQj/4tuE886QSOmvrZL3Ka =Vji6 -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
