On Tue, 16 Sep 2008, Thomas Schulz wrote: > Am I correct in assumeing that I can set up our server with the dnssec > keys and then without any great rush send the dlv records to isc.org > and no resolver will reject our zone because of the partial setup?
It should be fine. I have signed domains that don't have dlv records (and parent doesn't know) and they work for others fine. > What do I do when I want to change to new keys? It would seem that I > can't change either my keys or the dlv record at isc.org without doing > the other one first! Can I load new keys and keep the old ones loaded > at the same time? If so, then changing the dlv record should be ok. Yes, keep both keys at same time. (I will see if I can get the ISC DLV webpage updated about this.) > Is it reasonable to set the expiration time to some large value for > zones that would not be interesting to anyone? I am thinking of > changing the key yearly but set the expire time to 2 years so that > there will be no problems if I get side tracked for a month or so. Yes, it is reasonable. Some do this monthly. Some do annnually. Some say several years is fine. (There were detailed postings about this recently on this list.) > What happens if one of our secondaries has no special setup for dnssec? > Should it be still able to serve any records that it gets in the zone > transfer? It will be able to serve them. But it won't return the RRSIG or DS records automatically (so no DNSSEC). > And if it does not serve the key records when there are dlv > records at isc.org what happens? Then it will be normal DNS. The DLV records won't be consulted (at least won't be required).
