[dns-operations] .fr has 5 DNSKEYs
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue May 31 09:34:10 UTC 2011
On Mon, May 30, 2011 at 04:07:05PM -0400,
Paul Wouters <paul at xelerance.com> wrote
a message of 13 lines which said:
> Why would you need a "resue ZSK"? You can introduce any new ZSK at
> any time with zero notice
I'm not convinced. If a validating resolver has in its cache a DNSKEY
with a TTL of X seconds and you suddenly publish a new ZSK and start
using it for signing. If the resolver gets a signature done with the
new ZSK but its cache still contains the old DNSKEY set, what will
happen?
Theoretical answer: validation may fail because this is an incorrect
timing. Practical answer: I don't know, I did not test BIND or Unbound
behavior in that case.
Pre-publishing the ZSK solves this problem.
RFC 4641, section 4.2.1.1.
More information about the dns-operations
mailing list