Hello Jan-Piet, > Is it safe to have OpenDNSSEC publish a new KSK DNSKEY and a short while > later publish its DS in the parent? Is it also safe to have superflous > DS records (e.g for DNSKEYs which have long been removed) for a zone in > that parent?
It ought to be safe, precisely as you stated it — at least one DNSKEY per algorithm must be found. One situation where this may occur is during secure domain transfers, where the DS’s of the old and new situation are stored in the parent. -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
