[dns-operations] Graphical timelines for DNSSEC operations

Klaus Darilion klaus.mailinglists at pernau.at
Fri Dec 13 14:43:16 UTC 2013

On 13.12.2013 15:21, Emmanuel Thierry wrote:
> Hello
> (First time posting on this ML)
> After several months of waiting, i'm testing DNSSEC deployment with some on my domains, using opendnssec software.
> However, some principles still are hard to envision for dummies, especially time schedules.
> As an example, RFC 6781 shows a very clear timeline on section about signature validity. But it miss it for any other operation (KSK or ZSK rollover, DS publication in the parent zone, ...). Concretely, it implies that system administrators who are not DNSSEC experts may have a lot trouble to understand what exactly mean each configuration parameters in softwares stick really tightly to RFC 6781 such as opendnssec. In consequence, DNSSEC configuration looks like black magic that will work (because software is made to do so) but we don't know why...
> In my very specific case, i don't understand which of my parameters makes the KSK to take one day to be considered as "published" when my zones TTL are set to 3600.

Maybe you have configured a long "propagation delay".
See https://wiki.opendnssec.org/display/DOCS/kasp.xml

> Does material exists to explicit graphically (in an ideal way) each specific key and DNSSEC records life cycle, in the same manner of section ?

Have you checked:
https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and


More information about the dns-operations mailing list