Dnssec questions
Jeremy C. Reed
Jeremy_Reed at isc.org
Fri Sep 19 01:35:17 UTC 2008
On Tue, 16 Sep 2008, Thomas Schulz wrote:
> Am I correct in assumeing that I can set up our server with the dnssec
> keys and then without any great rush send the dlv records to isc.org
> and no resolver will reject our zone because of the partial setup?
It should be fine. I have signed domains that don't have dlv records (and
parent doesn't know) and they work for others fine.
> What do I do when I want to change to new keys? It would seem that I
> can't change either my keys or the dlv record at isc.org without doing
> the other one first! Can I load new keys and keep the old ones loaded
> at the same time? If so, then changing the dlv record should be ok.
Yes, keep both keys at same time. (I will see if I can get the ISC DLV
webpage updated about this.)
> Is it reasonable to set the expiration time to some large value for
> zones that would not be interesting to anyone? I am thinking of
> changing the key yearly but set the expire time to 2 years so that
> there will be no problems if I get side tracked for a month or so.
Yes, it is reasonable. Some do this monthly. Some do annnually. Some say
several years is fine. (There were detailed postings about this recently
on this list.)
> What happens if one of our secondaries has no special setup for dnssec?
> Should it be still able to serve any records that it gets in the zone
> transfer?
It will be able to serve them. But it won't return the RRSIG or DS records
automatically (so no DNSSEC).
> And if it does not serve the key records when there are dlv
> records at isc.org what happens?
Then it will be normal DNS. The DLV records won't be consulted (at least
won't be required).
More information about the bind-users
mailing list