30 Lis
2020
30 Lis
'20
18:07
libor.peltan> ...and (if I understand this idea correctly) since every
libor.peltan> server would have different KSK, you would need multiple
libor.peltan> DS in the parent zone (the parent must allow it).
ebersman> This has to be allowed or you can't roll the KSK yourself.
tis> You only need one DS record at time for that. You replace old DS
tis> with new one when you do roll over.
You need to have both there with overlap time to allow for caches to
expire old DS and put in new DS or there is risk of validation failure.
This is especially important with DS, since many registries/registrars
have 48 hour TTLs for DS but only 24 hour or less for NS.