1 Pro
2020
1 Pro
'20
9:09
False again.
There are two methods of performing KSK roll-over.
1. so called "double-KSK" where two KSK are active during the exchange
phase. Only one DS is needed at any time (the old at first, the new
afterwards).
2. so called "double-DS" where it's not necessary to have both KSK
active simlutaneously, but you need to have two DS at the parent for
some period.
Please read RFC 6781 carefully.
By the way, Knot is only able to automate double-KSK roll-overs.
/Libor
Dne 30. 11. 20 v 18:07 Paul Ebersman napsal(a):
libor.peltan> ...and (if I understand this idea
correctly) since every
libor.peltan> server would have different KSK, you would need multiple
libor.peltan> DS in the parent zone (the parent must allow it).
ebersman> This has to be allowed or you can't roll the KSK yourself.
tis> You only need one DS record at time for that. You replace old DS
tis> with new one when you do roll over.
You need to have both there with overlap time to allow for caches to
expire old DS and put in new DS or there is risk of validation failure.
This is especially important with DS, since many registries/registrars
have 48 hour TTLs for DS but only 24 hour or less for NS.