[DNSOP] how not to do an operator transfer, was Re: [dane] FYI: Verisign files patent application for way of transfering hosting on DNSSEC Domains

Tony Finch Mon, 08 Oct 2012 13:28:06 -0700

On 8 Oct 2012, at 15:35, Ray Bellis <[email protected]> wrote:
> 
> <http://conferences.npl.co.uk/satin/presentations/satin2011slides-Crocker.pdf>


That procedure is incorrect: it is missing a wait step between updating the DS 
and DNSKEY RRsets and updating the NS RRsets. A validator might fetch data from 
the new operator and try (and fail) to validate it against an old cached keys.

Tony.
--
f.anthony.n.finch  <[email protected]>  http://dotat.at/

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] how not to do an operator transfer, was Re: [dane] FYI: Verisign files patent application for way of transfering hosting on DNSSEC Domains

Reply via email to