--- Begin Message ---
HI there.
I am considering a DNSSEC transition in the following scenario:
- Org 1 operates both the parent domain, with a delegation-only server, and the
child domain, with a set of authoritative servers. A zone cut is present.
- Org 2 operates only authoritative servers
- Child domain is currently signed by Org 1, with a DS record matching DNSKEY
and RRSIGs served by the authoritative servers.
- Child domain is moving from the authoritative servers of Org 1 to the
authoritative servers of Org 2. Org 1 will keep running the parent domain.
- Org 2 will now run the child domain, with no DNSSEC
Simple way is to remove the DS from the parent, wait for the DS TTL to be over,
and then change the delegation at the parent domain. But this makes the change
to wait for that DS TTL.
I wonder if there is a way to make this transition to happen faster from an
outside POV, even if under the hood there is still work in progress during the
DS TTL. Is there a way to tell "hey,
DNSSEC is longer available to this domain, and I can prove that with RRSIG
record" that resolvers would trust ? Because other than that, the next option
would be to act as a recursor querying the new name servers, and on the fly
signing the responses.
Rubens
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
