Tony Finch · Oct 11, 2018 · 9:24 AM UTC

Tony Finch

Tony Finch @fanf

11 Oct 2018

Checking ahead of the DNSSEC root KSK rollover ... all my resolvers have a ttl > 24h for the root DNSKEY RRset, so I plan to give them a delicate kick after H-hour to ensure things are OK before I head to Amsterdam tomorrow

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 9:28 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

I've had to deal with a number of KSK rollovers for the first time in production recently. I only fluffed up one of them (the most important one) :-) I need to see if I can automate GANDI to update the KSKs

Peter van Dijk · Oct 11, 2018 · 12:07 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

I understand GANDI is in on CDS/CDNSKEY, should make things easier

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:10 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

Oooh whassat?

Peter van Dijk · Oct 11, 2018 · 12:12 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

you publish intended parent-side DS on your side as CDS; parent monitors this, trusts it after a few days and adopts it. CDNSKEY is the obvious non-hashed variant.

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:25 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:25 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

Replying to @Habbie @fanf

So, if I publish the DS and DNSKEY records I want as CDS/CDNSKEY respectively, Gandi (possibly after some configuration) will automatically pick them up, meaning that as I introduce the new KSK, it will pick itup automatically etc?

Oct 11, 2018 · 12:25 PM UTC

Peter van Dijk · Oct 11, 2018 · 12:26 PM UTC

Peter van Dijk @Habbie

11 Oct 2018

Replying to @dsilverstone @fanf

that is the idea. It's unclear to me how far along their implementation/deployment is.

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Oct 11, 2018 · 12:31 PM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

11 Oct 2018

I've popped onto IRC to find out