dnssec-policy questions and suggestions

Tony Finch dot at dotat.at
Thu Nov 14 18:49:47 UTC 2019


After some more thought I realise that it would be better to:

* use inotifywatch to keep an eye out for key file changes

* nsnotifyd can handle CDS changes as it is

[ I thought something more complicated might be needed mainly because not
all key file changes are reflected in the zone file in an obvious way... ]

Some more questions:

What style of KSK rollover is used? Double DS or double KSK? For an
automated system (where there's relatively little faff for parental
updates) I prefer double DS since it requires fewer DNSKEY records.

If it uses double KSK, is there some arrangement to avoid doing ZSK and
KSK rollovers at the same time, to keep the RRset size down?

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
the market alone does not distribute wealth or income fairly


More information about the bind-workers mailing list