On Jul 9, 2013, at 5:56 AM, Antoin Verschuren <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Op 09-07-13 10:05, Patrik Fältström schreef:
>>
>> The registry get an EPP update via a secure channel to change the
>> NS. They can at that time (before the new zone is published) issue
>> queries for CDS at the suggested new target of the NS, and if the
>> CDS exists there they can fetch the CDS, see if key material
>> changed, and incorporate the data in the zone that is to be
>> published.
>
> That CDS record will not validate at that point in time, so it will
> always be ignored.
> The pre-requisite for CDS is that the record can be validated, and the
> new zone is not yet in the chain of trust if the DNSKEY RRset that is
> present in the validating resolver does not contain the key by which
> the CDS record in the new zone is signed.
Antion, is right CDS or CSYNC can only help with operator change
when the OLD operator is highly cooperative.
Old Operator has to be willing and able to publish change information about
the new operator
in its copy of the zone and it has to publish it long enough for the
parent to pick it up.
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
