On Thu, 28 Feb 2013, Tony Finch wrote:
But that seems to be local policy of the parent. Not something the child
should have any say over?
You are probably right.
The ideal is for the admin to trigger a key rollover and the rest happens
automatically. The scheduling idea (above) is sort of based on exposing
BIND's key timing parameters (dnssec-settime) so that the parent can
follow along. But this requires quite a lot of faith that the parent will
actually follow along as requested, so it probably isn't robust enough.
So whatever is co-ordinating the key rollover at the child needs to
monitor the parent to see when the DS RRset changes so that the rest of
the schedule can be adjusted accordingly. And if you are doing that, you
might as well alter the CDS RRset like you do with the DNSKEY RRset, and
wait for the parent to notice and act on the change.
I'm just trying to avoid another round of "Triggers vs Timers" :)
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
