Rick,
> > is it safe to have the DelegationSignerSubmitCommand submit the DS
> > to the parent and mark the KSK with "ds-seen" in one fell swoop?
> This is not safe. OpenDNSSEC might remove your DNSKEY before all
> clients have stopped to rely on it. They might have the old DS on board
> but not the old DNSKEY. The least paranoid cause for this would be
> differences in TTL for the two records.
Of course, yes.
So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS,
schedules process to wait for DS actually in parent, waits a wee bit
longer and then marks ds-seen. Sounds good.
Thank you.
Regards,
-JP
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
