[dns-operations] .fr has 5 DNSKEYs

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue May 31 09:34:10 UTC 2011

On Mon, May 30, 2011 at 04:07:05PM -0400,
 Paul Wouters <paul at xelerance.com> wrote 
 a message of 13 lines which said:

> Why would you need a "resue ZSK"? You can introduce any new ZSK at
> any time with zero notice

I'm not convinced. If a validating resolver has in its cache a DNSKEY
with a TTL of X seconds and you suddenly publish a new ZSK and start
using it for signing. If the resolver gets a signature done with the
new ZSK but its cache still contains the old DNSKEY set, what will

Theoretical answer: validation may fail because this is an incorrect
timing. Practical answer: I don't know, I did not test BIND or Unbound
behavior in that case.

Pre-publishing the ZSK solves this problem.

RFC 4641, section

More information about the dns-operations mailing list