[dns-operations] Is it safe to immediately publish the DS just after signing the zone?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Sep 4 13:13:43 UTC 2019
On Wed, Sep 04, 2019 at 02:22:53PM +0200, Anand Buddhdev wrote:
> > I wonder how resolvers behave when they find for a zone a DS record, but
> > have cached zone RRs without RRSIG.
>
> They *will* fail to validate the unsigned cached records. Therefore, do
> *not* publish the DS record immediately.
Where "they" means validating resolvers downstream of a forwarder's
cache or secondary nameserver. If such a downstream validating
resolver has not previously cached the RRset in question, and is
now fetching a stale copy from a forwarder, then it may designate
the RRset as "bogus". RRsets are validated when they are received
and cached, not when answering from the cache.
--
Viktor.
More information about the dns-operations
mailing list