> On 25 Feb 2021, at 09:13, Ben Schwartz <[email protected]> wrote: > > > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews <[email protected]> wrote: > > > > On 25 Feb 2021, at 02:01, Ulrich Wisser <[email protected]> > > wrote: > ... > > At the current state of dnssec RFC definitions it is unclear how you could > > change DNS operators securely if these operators do not sign the zone with > > the same algorithm. > > You can’t do that as the logic doesn’t allow it. Perform algorithm roles to > and from mandatory to implement algorithms before and after the move if > necessary. > > What if you set all TTLs to zero on both sides until the transition is > complete?
You still can’t do it. You need to publish simultaneous DS records for the loosing and gaining zones. Zone transfers take time. The DNS is loosely coherent. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
