[dns-operations] .fr has 5 DNSKEYs
Paul Wouters
paul at xelerance.com
Tue May 31 14:30:13 UTC 2011
On Tue, 31 May 2011, Stephane Bortzmeyer wrote:
> Pre-publishing the ZSK solves this problem.
I did not mean to say don't prepublish a new ZSK key. But you only need
to do that when you're doing a ZSK rollover. Add the ZSK and wait at least
TTL RRset(DNSKEY). So in your case, you only need just over 2 days with a
double ZSK. Though in your system there is now also a time when there are
3 ZSKs.
I guess you can play safe and prepublish the new ZSK all the time, though
personally I would expect more outages based on dns packet sizes for the
DNSKEY set, then from needing to do an emergency ZSK rollover.
Paul
More information about the dns-operations
mailing list