[dns-operations] Is it safe to immediately publish the DS just after signing the zone?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Sep 4 13:13:43 UTC 2019

On Wed, Sep 04, 2019 at 02:22:53PM +0200, Anand Buddhdev wrote:

> > I wonder how resolvers behave when they find for a zone a DS record, but
> > have cached zone RRs without RRSIG.
> They *will* fail to validate the unsigned cached records. Therefore, do
> *not* publish the DS record immediately.

Where "they" means validating resolvers downstream of a forwarder's
cache or secondary nameserver.  If such a downstream validating
resolver has not previously cached the RRset in question, and is
now fetching a stale copy from a forwarder, then it may designate
the RRset as "bogus".  RRsets are validated when they are received
and cached, not when answering from the cache.


More information about the dns-operations mailing list