> I think what happend to this zone is; it's DS was published > automatically just before the NL-zone reloads. The automated 'is DS > available for $domain in ds-seen state'-checker i wrote found the DS > active only 15 minutes after it being published and marked the key > active, way before ODS expected that to happen(??).
'active' means the DS can be used by ODS, i.e. all resolvers have access to it. This is not imidiatly after publishing it in de NL-zone, these resolvers have caches which is taken into account by ODS. see [1]. So you have to wait at least the TTL of the DS to know you can safely use the new DS. Your script _will_ break validation of your domain for at least some resolvers. Regards, Yuri Schaeffer [1] https://wiki.opendnssec.org/display/DOCS/Key+States _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
