In message <[email protected]>, "Paul B. Henson" writes: > On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote: > > > The new key does not sign the DNSKEY RRset. > [...] > > Make sure the DNSKEY RRset is signed with the new key then try to > > add the DS record to the parent. > > It's intentionally not being used for signing; it's published but not yet > activated. We've been doing pre-publish key rollover since we deployed > dnssec, I don't think there's any requirement that a DS record point to > a key actually in use for signing, just to one that exists in the zone?
For a DS to *work* it needs to point to a key that signs the DNSKEY RRset. Validators check that the signature exists. Activating the key will add 1 signature to the zone. Not activating it increases the risk of shooting your self in the foot in the future which, presumable, EDUCAUSE is trying to prevent. If you were to disable the current key without first activating the new key and allowing the old DNSKEY RRset to clear caches you would end up with a broken secure delegation. By ensuring all DS records that are added point to self signed DNSKEY RRsets they prevent this senario from happening. > Thanks... -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
