<div><div dir="auto">Having the old and new operators cross sign each other’s keys is, I believe, the only foolproof way to get this done without losing validation. There are ways to minimize the damage, which you’ve obviously explored.</div></div><div dir="auto"><br></div><div dir="auto">How much flexibility do you have in time and money?</div><div dir="auto"><br></div><div dir="auto">Shumon Huque has been approaching this issue from a different perspective, which is how to have multiple dns providers. The idea is similar, but it feels different to the providers because bringing the new one into operation doesn’t immediately imply the first one will be shut down.</div><div dir="auto"><br></div><div dir="auto">Another element to consider is how often changes are being made to the zone. It makes a difference if the zone is stable for a long time versus changing frequently.</div><div dir="auto"><br></div><div dir="auto">And to avoid the problem in the future, make sure the new operator will cooperate if you want to add another operator down the line.</div><div dir="auto"><br></div><div dir="auto">I have an interest in improving the mechanics and the rules so others won’t have this problem. When you have a moment, I’d like to discuss your help in pushing on this. Probably better off list.</div><div dir="auto"><br></div><div dir="auto">Steve</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 4, 2019 at 3:55 PM Anthony Eden <<a href="mailto:anthony.eden@dnsimple.com">anthony.eden@dnsimple.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Is the algorithm remaining the same between the two providers?<div><br></div><div>If so then having both provider's DS records and changing the delegation should work, but you probably want to leave the old DS record present longer before removing it. We are leaving old DS records a minimum of 48 hours (for example, when removing DNSSEC, and longer when we rotate keys, but that's more to give customers more time to add the DS where automation isn't possible).</div><div><br></div><div>If the algorithms are different... well, then you're stuck so far as I can tell - both providers need to use the same algorithm.</div><div><br></div><div>Sincerely,</div><div>Anthony Eden</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 4, 2019 at 3:38 PM James Stevens <<a href="mailto:james.stevens@jrcs.co.uk" target="_blank">james.stevens@jrcs.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">I'm working with a large client who is currently trying to change their <br>
DNSSEC signing operator. The client is *very* against going unsigned, if <br>
it can be avoided.<br>
<br>
Of course, option-1 would be to follow RFC-6781 - but looks like that's <br>
not going to be possible :(<br>
<br>
Currently neither operator appears to support adding each other's <br>
DNSKEYs in the zone. I have tickets open with both, but I'm not holding <br>
my breath.<br>
<br>
<br>
What I tried (with a test zone) was to put both operator's DS keys in <br>
the parent, wait >24 hrs then switch all NS (parent & zone), all the <br>
time polling Google, Cloudflare and ISC's test bind & unbound to check <br>
for outage - using queries that would give NXDOMAIN answers, to avoid <br>
cached answers.<br>
<br>
NS ttl is 3600, DNSKEY ttl is 7200 and parent is dot-COM, so DS ttl is 86400<br>
<br>
Cloudflare switched to validating with the new keys pretty much <br>
immediately, with very little outage.<br>
<br>
ISC's servers both behaved the same - they kept validating on the old <br>
keys until the NS expired, then they gave SERVFAIL until the DNSKEY <br>
expired, then they switched and orked fine on the new keys.<br>
<br>
Google was odd - they switch randomly and gradually - 7 hours later some <br>
of their servers still hadn't switched (i.e were giving answers <br>
validated using the old keys) and they were often refreshing the TTL on <br>
the old DNSKEYs - I can't see how that could be correct behavior after 7 <br>
hours?? 24 hrs later they had completely switched to the new keys.<br>
<br>
<br>
If I can just get the old provider to carry the new DNSKEYs, it seems to <br>
me this would alleviate most of the outage.<br>
<br>
Failing that plan-b is to try and reduce the TTL on the NS & DNSKEY, to <br>
minimize the outage.<br>
<br>
Plan-Z is unsigned for 24 hrs :(<br>
<br>
<br>
So questions<br>
<br>
1) Am I right that Google is behaving oddly?<br>
2) Anybody got any better ideas for switching while avoiding going <br>
unsigned and avoiding outage ?<br>
<br>
<br>
<br>
James<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_-1443106048126575169gmail_signature">DNSimple.com<br><a href="http://dnsimple.com/" target="_blank">http://dnsimple.com/</a><br>Twitter: @dnsimple</div>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>