Struggling with dnssec-policy timers
vom513
vom513 at gmail.com
Mon Nov 28 20:12:26 UTC 2022
Thanks for the reply and info…
I would have thought the CDS would be published before the key went active. I.e. there would be a period of TWO DS’es at the parent (I’m assuming the parent supports CDS/CDNSKEY which mine (registrar) does).
Since the new key goes active, CDS is published, and the old key is retired at the same time - isn’t this going to cause a (lack of coverage/chain of trust) problem ? I’m really trying to get to a point of a “one command” rollover. I.e. no API, no uploading DS, etc. I guess I’ll see tonight when it happens, but I can’t help but feel when the clock strikes I’m going to be missing DS for the new key at the parent.
More information about the bind-users
mailing list