Am I correct in assumeing that I can set up our server with the dnssec keys and then without any great rush send the dlv records to isc.org and no resolver will reject our zone because of the partial setup?
What do I do when I want to change to new keys? It would seem that I can't change either my keys or the dlv record at isc.org without doing the other one first! Can I load new keys and keep the old ones loaded at the same time? If so, then changing the dlv record should be ok. Is it reasonable to set the expiration time to some large value for zones that would not be interesting to anyone? I am thinking of changing the key yearly but set the expire time to 2 years so that there will be no problems if I get side tracked for a month or so. What happens if one of our secondaries has no special setup for dnssec? Should it be still able to serve any records that it gets in the zone transfer? And if it does not serve the key records when there are dlv records at isc.org what happens? I think that a.dns.tds.net is running some version of bind, but when I query for version.bind I get the response that this is a rude question. In case it is helpful, our domain is adi.com. Tom Schulz Applied Dynamics Intl. [EMAIL PROTECTED]