> On 30 Sep 2021, at 6:22 pm, Peter van Dijk <[email protected]>
> wrote:
>
>> Pity this did not go smoothly for them, a premature rollout can be mildly
>> inconvenient, but then yanking the DS RRs was definitely a bad call.
>
> Yanking a DS does not break domains. Yanking DNSKEY+RRSIG before the DS
> is expired breaks domains. If there was a bad call (which we can't know
> from our back seats), yanking the DS was not it.
Sorry about the fuzzy description, yes I know the issue was yanking the
DNSKEYs (actually both DNSKEYs and DS at the same time).
It is far from clear why one would decide to do that, and why one would
not quickly resign and push the zone to reduce the impact.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
