On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking <matth...@isc.org> wrote:
> Hi, > > On 16-08-2021 04:28, raf via bind-users wrote: > > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <b...@raf.org> wrote: > ... > > > > So it's looking good and I'm happy now. But how long > > after the zone has been signed can I expect to see > > CDS/CDNSKEY RRs appear? Why aren't they created at > > the same time as the DNSKEY RRs? I assume there's > > a good reason but I can't think what it is. > > First the RRsets with signatures need to be in the zone long enough that any > cached unsigned RRsets in resolver's caches have expired. > > If you call 'rndc dnssec -status <zone>' you might see that the "zone > rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS > may be submitted and that is the time when the corresponding CDS/CDNSKEY > records will be published. Thanks! That makes much sense. I was thinking that it would be OK to publish the DS sooner when the zone is signed for the first time. But I get it. I'll trust bind's sense of timing and be patient. :-) cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
