On 19.12.2013 10:16, Volker Janzen wrote:
Hi, I'm currently working on automated KSK rollovers with my registrars API. I remember a discussion that it's difficult to say if a DS record can be assumed as seen, because with Anycast DNS you cannot check all nameservers from your location (or even when using load-balanced nameservers, you cannot check all nodes). Does anyone know / can suggest how long after a DS update at the registry I should wait before I take the DS seen via DNS lookup? E.g. 24 hours?
Generally the expected DS propagation delay depends on the parent domain operator. If, like in your case, it is a TLD operator, I would suspect that these people try to have all there name servers in sync and can resolve issues quite fast. On the other hand, it does not harm to have an old KSK in zone for some days more than the expected DS propagation delay.
Thus, during "normal" KSK rollovers I use 5 days (to cover out-of-sync issues over a long weekend / holidays) before I remove the old KSK. In case of emergency rollovers (key was leaked) you have to decide per case if it is better to have short delays and risk failing validation vs. someone can spoof valid answers.
regards Klaus _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
