dnssec-policy questions and suggestions

Matthijs Mekking matthijs at isc.org
Tue Dec 3 08:27:28 UTC 2019

On 11/14/19 7:49 PM, Tony Finch wrote:
> After some more thought I realise that it would be better to:
> * use inotifywatch to keep an eye out for key file changes
> * nsnotifyd can handle CDS changes as it is
> [ I thought something more complicated might be needed mainly because not
> all key file changes are reflected in the zone file in an obvious way... ]
> Some more questions:
> What style of KSK rollover is used? Double DS or double KSK? For an
> automated system (where there's relatively little faff for parental
> updates) I prefer double DS since it requires fewer DNSKEY records.

Sorry, it is Double KSK, so that the parent interactions are minimized.

It wouldn't be too hard to introduce Double DS too.

> If it uses double KSK, is there some arrangement to avoid doing ZSK and
> KSK rollovers at the same time, to keep the RRset size down?

No, such logic does not (yet) exist.

> Tony.

- Matthijs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20191203/64b46b6c/attachment.bin>

More information about the bind-workers mailing list