In message <[email protected]>, Ralf Weber writes: > Moin! > > On 04 Mar 2014, at 10:00, Mark Andrews <[email protected]> wrote: > > > If you replace a CPE it just pushed new DS records for the > > new DNSKEY records it generates. This is equivalent to a > > emergency key rollover and only impacts client that have > > cached records for the zone or its DS records. > What if the new device doesn't support DNSSEC signing? I still think > there are reasons to support both archictectures (signing on the CPE or > on the ISP auth name server). I have no problem with signing on the CPE. > I just don't want to make it mandatory, as I have seen more problems with > CPEs than with ISP operations (ok I may be biased here working in ISP > operations for 15 years ;-). > > So long > -Ralf
The CPE that doesn't sign clears the DS records rather than adding / replacing the DS records. The zones still need to be delegated. If the CPE doesn't request deletations. The ISP DHCP server clears the delegation from its zones and that includes DS records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
