Paul Wouters <[email protected]> wrote: > On Thu, 28 Feb 2013, Tony Finch wrote: > > > It might be desirable to be able to say "like this before such-and-such a > > time, and like that afterwards". So maybe CDS RRs need inception and > > expiry dates? > > But that seems to be local policy of the parent. Not something the child > should have any say over?
You are probably right. The ideal is for the admin to trigger a key rollover and the rest happens automatically. The scheduling idea (above) is sort of based on exposing BIND's key timing parameters (dnssec-settime) so that the parent can follow along. But this requires quite a lot of faith that the parent will actually follow along as requested, so it probably isn't robust enough. So whatever is co-ordinating the key rollover at the child needs to monitor the parent to see when the DS RRset changes so that the rest of the schedule can be adjusted accordingly. And if you are doing that, you might as well alter the CDS RRset like you do with the DNSKEY RRset, and wait for the parent to notice and act on the change. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
