[dns-operations] Graphical timelines for DNSSEC operations

Klaus Darilion klaus.mailinglists at pernau.at
Wed Dec 18 09:22:57 UTC 2013



On 13.12.2013 16:10, Emmanuel Thierry wrote:
> Hello,
>
> Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :
>
>> On 13.12.2013 15:21, Emmanuel Thierry wrote:

>>>
>>> Does material exists to explicit graphically (in an ideal way) each specific key and DNSSEC records life cycle, in the same manner of section 4.4.2.2 ?
>>
>> Have you checked:
>> https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and
>> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03
>
> Lot clearer ! I think any system administrator deploying DNSSEC-enabled authoritative servers should have it ! ;)
> However, i still wonder how, for instance, the PropagationDelay field from the Parent block is used. The zone were automatically marked "active" when i set it ds-seen. I would have expected OpenDNSSEC to wait for PropagationDelay to mark it active according to the timeline you refer to (PropagationDelay == "Dreg" ?). Anyway, we are a bit switching to OpenDNSSEC internals.

I'm not sure about ODS internals, but IIRC ODS uses double-signature. 
So, maybe the propagation delay of the parent zone (and the TTL of the 
DS) is considered before retiring the old KSK.

regards
Klaus



More information about the dns-operations mailing list