[dns-operations] Is it safe to immediately publish the DS just after signing the zone?

Anand Buddhdev anandb at ripe.net
Wed Sep 4 12:22:53 UTC 2019

On 04/09/2019 13:57, Klaus Darilion wrote:

Hi Klaus,

> I wonder how resolvers behave when they find for a zone a DS record, but
> have cached zone RRs without RRSIG.

They *will* fail to validate the unsigned cached records. Therefore, do
*not* publish the DS record immediately.


More information about the dns-operations mailing list