[dns-operations] [DNSSEC] A "lame" DS record: operational problem or not?

Matt Larson mlarson at verisign.com
Tue Sep 14 18:50:56 UTC 2010


On Tue, 14 Sep 2010, Olafur Gudmundsson wrote:
> I have on number of times recommended that people pre-publish the DS
> record of standby KSK rather than add the key to the DNSKEY set as,
> then the only delay in bringing the new key into use is on the child
> sign and does not involve the parent, except to remove the DS record
> when the roll is complete.

While I cannot speak for the .BE registry and am not doing so here, I
believe it is possible that is the intent with these DS records.

> Educate at the tool writers.

Might a warning--with the proper explanation--still be appropriate?  A
DS record in the parent without a corresponding key in the child is
indeed useful as a "hot standby" as you've described, but it has
potential to become catastrophic if it's overlooked and the other
DS/DNSKEY combinations are removed in an attempt to take the zone
insecure.

Matt



More information about the dns-operations mailing list