[Dnssec-deployment] .EU only publishes DS records that it can observe on the authoritative nameservers
richard.lamb at icann.org
Wed Mar 30 14:46:11 EDT 2011
> "The registry system has a dynamic validator that only updates the root
> zone if the DS records submitted are confirmed to have matching DNSKEY
> records on the selected nameservers."
> Surely this prevents KSK rollovers where DS pre-publish is used?
Having written a few KSK rollover procedural documents, I am interested in this a well.
It seems that without the capability to pre-publish a vet to be valid DS record, the DNSKEY RRSets get large enough to cause packet fragment problems. This has at least been my experience.
I have tried pre-publishing DS records on .net and that seems to work.
More information about the Dnssec-deployment