On 16-08-2021 11:22, raf via bind-users wrote:
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking <matth...@isc.org>
wrote:
Hi,
On 16-08-2021 04:28, raf via bind-users wrote:
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <b...@raf.org> wrote:
...
So it's looking good and I'm happy now. But how long
after the zone has been signed can I expect to see
CDS/CDNSKEY RRs appear? Why aren't they created at
the same time as the DNSKEY RRs? I assume there's
a good reason but I can't think what it is.
First the RRsets with signatures need to be in the zone long enough that any
cached unsigned RRsets in resolver's caches have expired.
If you call 'rndc dnssec -status <zone>' you might see that the "zone
rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS
may be submitted and that is the time when the corresponding CDS/CDNSKEY
records will be published.
Thanks! That makes much sense. I was thinking that it
would be OK to publish the DS sooner when the zone is
signed for the first time. But I get it. I'll trust
bind's sense of timing and be patient. :-)
It is 99% of the time, but there will be corner cases (and dragons).
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
