[dns-operations] Graphical timelines for DNSSEC operations

Emmanuel Thierry ml at sekil.fr
Fri Dec 13 14:21:56 UTC 2013

(First time posting on this ML)

After several months of waiting, i'm testing DNSSEC deployment with some on my domains, using opendnssec software.
However, some principles still are hard to envision for dummies, especially time schedules.

As an example, RFC 6781 shows a very clear timeline on section about signature validity. But it miss it for any other operation (KSK or ZSK rollover, DS publication in the parent zone, ...). Concretely, it implies that system administrators who are not DNSSEC experts may have a lot trouble to understand what exactly mean each configuration parameters in softwares stick really tightly to RFC 6781 such as opendnssec. In consequence, DNSSEC configuration looks like black magic that will work (because software is made to do so) but we don't know why...
In my very specific case, i don't understand which of my parameters makes the KSK to take one day to be considered as "published" when my zones TTL are set to 3600.

Does material exists to explicit graphically (in an ideal way) each specific key and DNSSEC records life cycle, in the same manner of section ?

Emmanuel Thierry

More information about the dns-operations mailing list