problem registering DS records with EDUCAUSE, sanity check please
Mark Andrews
marka at isc.org
Tue Jul 15 01:33:28 UTC 2014
In message <20140715004923.GG31192 at bender.unx.csupomona.edu>, "Paul B. Henson"
writes:
> On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
>
> > The new key does not sign the DNSKEY RRset.
> [...]
> > Make sure the DNSKEY RRset is signed with the new key then try to
> > add the DS record to the parent.
>
> It's intentionally not being used for signing; it's published but not yet
> activated. We've been doing pre-publish key rollover since we deployed
> dnssec, I don't think there's any requirement that a DS record point to
> a key actually in use for signing, just to one that exists in the zone?
For a DS to *work* it needs to point to a key that signs the DNSKEY
RRset. Validators check that the signature exists. Activating the
key will add 1 signature to the zone.
Not activating it increases the risk of shooting your self in the
foot in the future which, presumable, EDUCAUSE is trying to prevent.
If you were to disable the current key without first activating the
new key and allowing the old DNSKEY RRset to clear caches you would
end up with a broken secure delegation. By ensuring all DS records
that are added point to self signed DNSKEY RRsets they prevent this
senario from happening.
> Thanks...
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list