[dns-operations] Is it safe to immediately publish the DS just after signing the zone?

Anand Buddhdev anandb at ripe.net
Wed Sep 4 12:22:53 UTC 2019

Previous message (by thread): [dns-operations] Is it safe to immediately publish the DS just after signing the zone?
Next message (by thread): [dns-operations] Is it safe to immediately publish the DS just after signing the zone?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/09/2019 13:57, Klaus Darilion wrote:

Hi Klaus,

> I wonder how resolvers behave when they find for a zone a DS record, but
> have cached zone RRs without RRSIG.

They *will* fail to validate the unsigned cached records. Therefore, do
*not* publish the DS record immediately.

Regards,
Anand

Previous message (by thread): [dns-operations] Is it safe to immediately publish the DS just after signing the zone?
Next message (by thread): [dns-operations] Is it safe to immediately publish the DS just after signing the zone?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dns-operations mailing list