[dns-operations] What's wrong with my domain?
Jorge Fábregas
jorge.fabregas at gmail.com
Wed Jul 2 23:18:35 UTC 2014
On 07/02/2014 04:54 PM, Lawrence K. Chen, P.Eng. wrote:
> Otherwise, wonder what I could do in my home grown automation scripts to
> check for new DS and somehow extend the rollover time automatically?
If there's no such automation in place (parent monitoring child for new
KSK in order to update its DS records) I wouldn't use an automated KSK
rollover. I'd do it manually (KSK double-signature rollover) when the
time arrives. That way I'm in control (e.g. I won't delete old KSK
until I make sure parent has new DS & wait for the old DS' TTL time).
I really think this is the best approach when there's no such
automation. If there's a better way I'd be glad to hear it (I'm staring
out with DNSSEC :)
Regards,
Jorge
More information about the dns-operations
mailing list