OK, good idea. But some parent zones holders check to see if the corresponding DNSKEY is present in the child zone before accepting DS records. I have DLV in mind... So in this scenario, DS records can not be submitted.
On Tue, Jul 06, 2010 at 01:52:58PM +0100, Sion Lloyd wrote: > > > > I have 3 test zones and each has an active KSK and a dsready KSK. > > dsready KSK is labelled "When required". If I look in the zonefile, I > > cannot see this DNSKEY. The only KSK I can find is the active one. > > > > What this dsready state should mean? In ODS 1.0, this state didn't > > exist. Before the ready state, there was a published state. > > The key in the DSREADY state is the standby key. It has had its DS record > submitted to the parent but is not being published in the zone yet. It will > not be published until it is going to be used. > > The idea is that if the key is needed in an emergency the shortest timescale > that it can be used in is the publication through the child system. (It is > imagined that dealing with the parent zone is the slower of the two.) > > Sion > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -- Pierre Lebrech _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
