[dns-operations] Is it safe to immediately publish the DS just after signing the zone?
klaus.mailinglists at pernau.at
Wed Sep 4 11:57:16 UTC 2019
I wonder how resolvers behave when they find for a zone a DS record, but
have cached zone RRs without RRSIG.
Example: example.com gets signed. www.example.com IN A has a TTL of 1
week. Immediately after signing the zone I publish the DS in the .com zone.
So, may it happen that a resolver (or some validating stub resolver
downstream) finds the DS and the cached RR without RRSIG causes SERVFAIL
or other problems?
Currently I only publish the DS after max(highest-RR-TTL,negative-TTL)
to be on the safe side. But this sometimes causes long waiting. So I
wonder if it may be safe to ignore TTLs when publishing the inital DS.
More information about the dns-operations