On 13.12.2013 16:10, Emmanuel Thierry wrote:
Hello,
Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :
On 13.12.2013 15:21, Emmanuel Thierry wrote:
Does material exists to explicit graphically (in an ideal way) each specific
key and DNSSEC records life cycle, in the same manner of section 4.4.2.2 ?
Have you checked:
https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03
Lot clearer ! I think any system administrator deploying DNSSEC-enabled
authoritative servers should have it ! ;)
However, i still wonder how, for instance, the PropagationDelay field from the Parent block is
used. The zone were automatically marked "active" when i set it ds-seen. I would have
expected OpenDNSSEC to wait for PropagationDelay to mark it active according to the timeline you
refer to (PropagationDelay == "Dreg" ?). Anyway, we are a bit switching to OpenDNSSEC
internals.
I'm not sure about ODS internals, but IIRC ODS uses double-signature.
So, maybe the propagation delay of the parent zone (and the TTL of the
DS) is considered before retiring the old KSK.
regards
Klaus
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
