[dns-operations] Pre-publishing KSKs and ZSKs
Anand Buddhdev
anandb at ripe.net
Tue Nov 24 09:22:27 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear DNS folk,
I'm asking for opinions about pre-publishing KSKs and ZSKs. Our signer
software pre-publishes both by default, but provides an option not to.
Pre-publishing has the feature that in the event of an emergency
roll-over, they keys should already be cached. However, this appears
to be the only advantage. Otherwise, the standby keys make the DNSKEY
response bigger.
We publish our keys with a TTL of 1 hour, which is rather short. My
thinking is that with such a short TTL, we shouldn't need to
pre-publish standby keys, because we can introduce new keys quickly.
Would you all agree with my assessment? Have I missed any other
obvious reason for pre-publishing keys?
Regards,
Anand Buddhdev
RIPE NCC
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWVCxTAAoJEBXgoyUMySoF1dYP/RxeRU9pDQKUOv2k0M1v3oCh
F6ZGq3K9FWOUCjxSNnx5c04XsrV6kPE3ZRiKb+yfiKawAUnWFn/c6jAU75/uV7PQ
6ZpWlnKmfcRtf1chbskgd/iMKzqx45yZiQeazhE4j87uQATRgtoScQ+Sau0xtc/C
0TCbIl66skcXZWogy3r/VjcLyff9Q5JklFpMs+dYAFJEHFUfciqN6v2sdu2Kk5JX
Qb0T0I4ZKVXy7wLxzyKjeqvt6eZlSxRKkxDOdB4hYAnuiSzsTa7GHnLRC1vuq9JV
KkLKTF4o3PdcVOEqZnkIyGevOPP9wOgJNkJQVXNMekAs5FNZTpZBwxiTzwIYXQ5T
G9KpbbuNJXc6U50+dU9IlCkGegAO9V556enosXtZHmQwKTlYDIL2FARdWO0HieVo
geXbWFpvMlfDaXYMhRAUtCMJvk9maPHaXmWupNTZ81+gGVosb/Y5AqpRhx+TthZY
hUIt1H+f8cn1F8Tm6/RnwYVNeKDdBXmMECk7EO9TxFa2E381jRIMKs8d4N6gcsIy
hI90ggdoNHdqT50peRi+D/aoQBQ6bARu5Rbz7sH6CDP/t9RpcTpl/cj4NiHv9EVy
NVMnAx6Gk5y8O8LE4JJtauJ7n1E/PQvHr37lxfpu+OeQz9d5cc5Wf9RmPXD8XALk
D+IhjFeDag/XZ/fCvbUM
=PxJQ
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list