Checking ahead of the DNSSEC root KSK rollover ... all my resolvers have a ttl > 24h for the root DNSKEY RRset, so I plan to give them a delicate kick after H-hour to ensure things are OK before I head to Amsterdam tomorrow
3
3
6
I've had to deal with a number of KSK rollovers for the first time in production recently. I only fluffed up one of them (the most important one) :-) I need to see if I can automate GANDI to update the KSKs
2
I understand GANDI is in on CDS/CDNSKEY, should make things easier
2
Replying to @dsilverstone @fanf
you publish intended parent-side DS on your side as CDS; parent monitors this, trusts it after a few days and adopts it. CDNSKEY is the obvious non-hashed variant.
2
Oh that sounds very useful. I'll have to look what the complexity of creating the records will be for our infra. That'd be a super-duper way to fix things
I am now even more grumpy about the university finance bureaucracy, sigh