<div dir="ltr">Yeah, it looks like it is the case, as the F5 docs say:<div><br></div><div><div class="" style="margin:17pt 0pt 0pt auto;padding:0px;color:rgb(0,0,0);font-family:sans-serif;font-size:14pt;vertical-align:baseline">
<a name="1035041" style="color:rgb(0,0,0)">Providing DS records to the parent domain</a></div><div class="" style="margin:4pt 0pt 0pt 0px;padding:0px;color:rgb(0,0,0);font-family:sans-serif;font-size:13px;text-indent:0%;vertical-align:baseline">
<a name="1034998" style="color:rgb(0,0,0)">Each time a new generation of a key-signing key is created, you must </a>provide the updated DS record to the administrators of the parent zone. For example, in Figure <a href="https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm_config_10_2/gtm_dnssec.html?sr=38618833#1016065" title="Working with DNSSEC Keys and Zones" class="" style="color:rgb(153,153,204);text-decoration:none">10.1</a>, the value of the <span style="font-weight:bold">Rollover Period</span> of the key is <span style="font-weight:bold">30</span> days, and the value of the <span style="font-weight:bold">Expiration Period </span>of the key is <span style="font-weight:bold">37</span> days. In the case of a key-signing key, a new generation of the key is created every 30 days, and you have seven days before the old generation of the key expires to provide the new DS record to the administrators of the parent zone. These administrators sign the new DS record with their own key and upload it their zone.</div>
</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 2, 2014 at 8:44 AM, Brett Carr <span dir="ltr"><<a href="mailto:Brett.Carr@nominet.org.uk" target="_blank">Brett.Carr@nominet.org.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
It would seem bad that the DNSSEC Implementation in f5’s would complete a KSK rollover (IE remove the old key) without some confirmation that the DS had been seen in the parent.
<div>Automation gone too far.</div><span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div>Brett</div>
</font></span><div><br>
<div><div><div class="h5">
<div>On 2 Jul 2014, at 12:56, Mohamed Lrhazi <<a href="mailto:ml623@georgetown.edu" target="_blank">ml623@georgetown.edu</a>> wrote:</div>
<br>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">So many useful tips, thank you all.
<div><br>
</div>
<div><a href="http://gu.edu/" target="_blank">gu.edu</a> is, luckily, a test domain, and not production. I had enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn that after a while keys are rolled over and I need to do some work about
it.... It makes DNSsec easy, but not that easy....</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mohamed.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer <span dir="ltr">
<<a href="mailto:bortzmeyer@nic.fr" target="_blank">bortzmeyer@nic.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, Jul 02, 2014 at 12:08:36PM +0100,<br>
Tony Finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> wrote<br>
<div> a message of 25 lines which said:<br>
<br>
> Your DS record doesn't match your DNSKEY records.<br>
<br>
</div>
The OP could also use the excellent DNSviz:<br>
<br>
<a href="http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/" target="_blank">http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/</a><br>
<br>
which rightly says:<br>
<br>
<a href="http://gu.edu/DNSKEY:DS" target="_blank">gu.edu/DNSKEY:DS</a> RRs exist for algorithm(s) 7 in the edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the
<a href="http://gu.edu/" target="_blank">gu.edu</a> DNSKEY RRset.<br>
</blockquote>
</div>
<br>
</div></div></div><div class="">
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-jobs mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></div></blockquote>
</div>
<br>
</div>
</div>
</blockquote></div><br></div>