Dnssec questions

[Jeremy C. Reed]

On Tue, 16 Sep 2008, Thomas Schulz wrote:

> Am I correct in assumeing that I can set up our server with the dnssec
> keys and then without any great rush send the dlv records to isc.org
> and no resolver will reject our zone because of the partial setup?

It should be fine. I have signed domains that don't have dlv records (and 
parent doesn't know) and they work for others fine.


> What do I do when I want to change to new keys?  It would seem that I
> can't change either my keys or the dlv record at isc.org without doing
> the other one first!  Can I load new keys and keep the old ones loaded
> at the same time?  If so, then changing the dlv record should be ok.

Yes, keep both keys at same time. (I will see if I can get the ISC DLV 
webpage updated about this.)

> Is it reasonable to set the expiration time to some large value for
> zones that would not be interesting to anyone?  I am thinking of
> changing the key yearly but set the expire time to 2 years so that
> there will be no problems if I get side tracked for a month or so.

Yes, it is reasonable. Some do this monthly. Some do annnually. Some say 
several years is fine. (There were detailed postings about this recently 
on this list.)

> What happens if one of our secondaries has no special setup for dnssec?
> Should it be still able to serve any records that it gets in the zone
> transfer?

It will be able to serve them. But it won't return the RRSIG or DS records 
automatically (so no DNSSEC).

> And if it does not serve the key records when there are dlv
> records at isc.org what happens?

Then it will be normal DNS. The DLV records won't be consulted (at least 
won't be required).