On 17/11/2013 18:57, Chris Thompson wrote: Hi Chris,
> As a matter of interest to many of us, what are ARIN's operational > procedures for interlocking KSK rollovers in NNN.in-addr.arpa zones > with the change of DS records in in-addr.arpa? > > (Of course we could ask the same question of the other RIRs as well...) I haven't understood your question fully, but let me try answering. The RIPE NCC's procedure involves removing the old DS records, and inserting the new ones, in a single transaction, when we do KSK roll-overs. This saves us from having to do double the work. Last week, we began KSK roll-overs for all the RIPE NCC's zones. We began a slow start by updating the DS records for just 2.in-addr.arpa. However, our update did not appear in the in-addr.arpa zone. Our DNSSEC signer will not withdraw the old KSK until it has seen the new DS record, so it patiently kept waiting and logging this fact. We informed ICANN, and they fixed the operational issue in their provisioning system that was blocking the update. We expect to update the DS records of all zones this week. Regards, Anand Buddhdev RIPE NCC _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
