On 21:22 20/01, Rubens Kuhl via dns-operations wrote: > > Simple way is to remove the DS from the parent, wait for the DS TTL to be > over, and then change the delegation at the parent domain. But this makes the > change to wait for that DS TTL. > > I wonder if there is a way to make this transition to happen faster from an > outside POV, even if under the hood there is still work in progress during > the DS TTL. Is there a way to tell "hey, > DNSSEC is longer available to this domain, and I can prove that with RRSIG > record" that resolvers would trust ? Because other than that, the next option > would be to act as a recursor querying the new name servers, and on the fly > signing the responses. >
The authoritative server could add an NSEC/3 in the authority section along the NS set, without the DS bit in the type map, as evidence. A resolver could trust it or make another DS query, but it needs to synchronize an NS change with its DS record. Hugo
signature.asc
Description: PGP signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
