On 07/02/2014 04:54 PM, Lawrence K. Chen, P.Eng. wrote: > Otherwise, wonder what I could do in my home grown automation scripts to > check for new DS and somehow extend the rollover time automatically?
If there's no such automation in place (parent monitoring child for new KSK in order to update its DS records) I wouldn't use an automated KSK rollover. I'd do it manually (KSK double-signature rollover) when the time arrives. That way I'm in control (e.g. I won't delete old KSK until I make sure parent has new DS & wait for the old DS' TTL time). I really think this is the best approach when there's no such automation. If there's a better way I'd be glad to hear it (I'm staring out with DNSSEC :) Regards, Jorge _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
