[dns-operations] [DNSSEC] A "lame" DS record: operational problem or not?

Casey Deccio casey at deccio.net
Tue Sep 14 19:42:53 UTC 2010

On Tue, Sep 14, 2010 at 11:50 AM, Matt Larson <mlarson at verisign.com> wrote:
> Might a warning--with the proper explanation--still be appropriate?  A
> DS record in the parent without a corresponding key in the child is
> indeed useful as a "hot standby" as you've described, but it has
> potential to become catastrophic if it's overlooked and the other
> DS/DNSKEY combinations are removed in an attempt to take the zone
> insecure.

I think that a warning with proper explanation is certainly
appropriate.  It's not always possible for a tool to infer the proper
context of the DS, in the sense of a KSK rollover, but a statement
that indicates a potential problem could alert the administrator.  I
have seen a number of deployments go from bad to worse in terms of
DS/DNSKEY alignments over the past few months.  Getting it right (and
understanding it) can be tricky for administrators, especially those
that are new to the game.


More information about the dns-operations mailing list