Dnssec questions

Thomas Schulz schulz at adi.com
Wed Sep 17 01:45:38 UTC 2008


Am I correct in assumeing that I can set up our server with the dnssec
keys and then without any great rush send the dlv records to isc.org
and no resolver will reject our zone because of the partial setup?

What do I do when I want to change to new keys?  It would seem that I
can't change either my keys or the dlv record at isc.org without doing
the other one first!  Can I load new keys and keep the old ones loaded
at the same time?  If so, then changing the dlv record should be ok.

Is it reasonable to set the expiration time to some large value for
zones that would not be interesting to anyone?  I am thinking of
changing the key yearly but set the expire time to 2 years so that
there will be no problems if I get side tracked for a month or so.

What happens if one of our secondaries has no special setup for dnssec?
Should it be still able to serve any records that it gets in the zone
transfer? And if it does not serve the key records when there are dlv
records at isc.org what happens?  I think that a.dns.tds.net is running
some version of bind, but when I query for version.bind I get the response
that this is a rude question.  In case it is helpful, our domain is
adi.com.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com


More information about the bind-users mailing list