Multiple DS Records
Paul Wouters
paul at xelerance.com
Sun Jun 27 15:39:06 UTC 2010
On Sun, 27 Jun 2010, Loren M. Lang wrote:
> I have read through RFC 4641 and I believe I understand the various key
> roll over procedures, but the RFC does not mention the scenario of
> adding the DS records to the parent before publishing and/or using the
> new KSKs. It is safe to pre-publish new DS records and once it has
> propagated to slave servers + it's original TTL, swap out the KSK and
> resign the DNSKEY RRset?
Though you can do that, it is better to first propagate your KSK's then
add the second DS, and then after propagation you remove the old DS, then
remove the old KSK. That way, you don't have invalid DS records in your
zone at any time.
Paul
More information about the bind-users
mailing list