--- Begin Message ---
Thanks,that explains it.
On Wednesday, December 16, 2020, Jim Reid <[email protected]> wrote:
>
>
>> On 16 Dec 2020, at 19:33, Eugene Tsuno - NOAA Affiliate via
dns-operations <[email protected]> wrote:
>>
>> So do those who have subdomains delegated have to regenerate DS keys
ever?
>
> Yes. This *has* to be done whenever the child zone rolls its KSK. And
every zone should change its KSK from time to time, just like we all change
our login passwords from time to time.
>
> It’s possible for a parent zone to detect the child zone’s KSK rollover
and automagically generate a new DS record for it. However you need to
document and implement a procedure for that, defining who’s responsible for
what amongst other things. This is the sort of thing that’s likely to break
if that procedure is not exercised regularly and everyone’s familiar with
it. See RFCs 7344, 7583 and 8078.
>
> DNSSEC is not a “fire and forget” protocol.
>
>
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
