[dns-operations] DNSSEC operations

Jim Reid jim at rfc1035.com
Wed Dec 16 20:29:54 UTC 2020



> On 16 Dec 2020, at 19:33, Eugene Tsuno - NOAA Affiliate via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> So do those who have subdomains delegated have to regenerate DS keys ever?

Yes. This *has* to be done whenever the child zone rolls its KSK. And every zone should change its KSK from time to time, just like we all change our login passwords from time to time.

It’s possible for a parent zone to detect the child zone’s KSK rollover and automagically generate a new DS record for it. However you need to document and implement a procedure for that, defining who’s responsible for what amongst other things. This is the sort of thing that’s likely to break if that procedure is not exercised regularly and everyone’s familiar with it. See RFCs 7344, 7583 and 8078.

DNSSEC is not a “fire and forget” protocol.





More information about the dns-operations mailing list