[dns-operations] Is it safe to immediately publish the DS just after signing the zone?

Klaus Darilion klaus.mailinglists at pernau.at
Wed Sep 4 11:57:16 UTC 2019


I wonder how resolvers behave when they find for a zone a DS record, but
have cached zone RRs without RRSIG.

Example: example.com gets signed. www.example.com IN A has a TTL of 1
week. Immediately after signing the zone I publish the DS in the .com zone.

So, may it happen that a resolver (or some validating stub resolver
downstream) finds the DS and the cached RR without RRSIG causes SERVFAIL
or other problems?

Currently I only publish the DS after max(highest-RR-TTL,negative-TTL)
to be on the safe side. But this sometimes causes long waiting. So I
wonder if it may be safe to ignore TTLs when publishing the inital DS.


More information about the dns-operations mailing list