On 19.12.2013 13:25, Volker Janzen wrote:
I'm using the DelegationSignerCommand to get notified, if OpenDNSSEC
wants me to do an update on a domain. This currently triggers a domain
update (by a simple script) with my domain registrar. The command gets
exactly one DNSKEY (the new one). From this point of view, the workflow
does not allow the old DS to persist in the parent zone, because I'm not
told there should be two DNSKEY entries and there will be no second call
to the DelegationSignerCommand command either to tell me to finally
remove the old DS. BTW: it's a pity that there is no call when setting
the initial DNSKEY, too.
There is no need to have 2 DS in the parent zone. With double-signature
it is fine to have only one DS in the parent zone. You just have to make
sure that the old KSK is still in the zone and used to sign the DNSKEYs
for TTL-of-DS + propagation-delay-parent-zone.
AFAIK these values can be configured in kasp.xml. Therefore I suspect
that ODS keeps the old KSK after "ds-seen" for at least this time.
<Parent>
<PropagationDelay>XXXX</PropagationDelay>
<DS>
<TTL>XXX</TTL>
</DS>
<SOA>
<TTL>XXXX</TTL>
<Minimum>XXXX</Minimum>
</SOA>
</Parent>
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
