[dns-operations] What's wrong with my domain?

Warren Kumari warren at kumari.net
Wed Jul 2 13:22:07 UTC 2014


On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch <dot at dotat.at> wrote:
> Mohamed Lrhazi <ml623 at georgetown.edu> wrote:
>>
>> gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
>> in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
>> that after a while keys are rolled over and I need to do some work about
>> it....
>
> Surely it has an interlock to prevent a KSK rollover going ahead without a
> DS change?!

Obligatory pointer at document that *should* automate this, and so
prevent bad KSK rolls (if deployed :-)):
https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/

Basically, when the signing tool rolls the key, it publishes the new
key in the zone, the parent (registrar or registry) periodically
scrapes the zone and then publishes the new DS.

Currently with the RFC Editor.

W

(FD: author).

>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. Slight
> or moderate. Rain for a time. Good, occasionally moderate.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list