[dns-operations] DNSSEC operations
Eugene Tsuno - NOAA Affiliate
eugene.tsuno at noaa.gov
Wed Dec 16 22:13:22 UTC 2020
Thanks,that explains it.
On Wednesday, December 16, 2020, Jim Reid <jim at rfc1035.com> wrote:
>
>
>> On 16 Dec 2020, at 19:33, Eugene Tsuno - NOAA Affiliate via
dns-operations <dns-operations at dns-oarc.net> wrote:
>>
>> So do those who have subdomains delegated have to regenerate DS keys
ever?
>
> Yes. This *has* to be done whenever the child zone rolls its KSK. And
every zone should change its KSK from time to time, just like we all change
our login passwords from time to time.
>
> It’s possible for a parent zone to detect the child zone’s KSK rollover
and automagically generate a new DS record for it. However you need to
document and implement a procedure for that, defining who’s responsible for
what amongst other things. This is the sort of thing that’s likely to break
if that procedure is not exercised regularly and everyone’s familiar with
it. See RFCs 7344, 7583 and 8078.
>
> DNSSEC is not a “fire and forget” protocol.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201216/c5888bd6/attachment.html>
More information about the dns-operations
mailing list