[dns-operations] Advice sought: moving delegations into child zones
Anand Buddhdev
anandb at ripe.net
Sat Mar 19 09:35:00 UTC 2011
Hello DNS experts,
I'm seeking advice on the best way to do the following:
There's a zone Z, which is signed, and over which I have no control.
There's a delegation in it, of the form:
a.p NS ns1.example.com.
NS ns2.example.com.
There's also an RRSIG for this RRset, because Z is signed. However, none
of a.p is not signed.
What I now need to do is to create a zone p.Z in zone Z, and move the
delegation into to. So what I want in Z is:
p NS ns1.another.
NS ns2.another.
NS ns3.another.
And then in p.Z I want:
a NS ns1.example.com.
NS ns2.example.com.
I know that without DNSSEC, I can do the transition without any pain.
There would be no disruption of service for a.p.Z. However, since Z is
signed, caches will have RRSIGs for a.p.Z for some time.
What's the best way of doing this transition without causing any
disruption for a.p.Z ?
My initial thought was to go through an unsigned phase for p.Z, ie:
1. Create unsigned zone p.Z
2. Create delegation for a.p.Z in it
3. Ask operator of Z to remove delegation for a.p.Z and replace with
delegation for p.Z
4. Wait for $TTL so that RRSIGs for a.p.Z (from Z) expire
5. Sign p.Z
Is this a reasonable approach?
Regards,
Anand Buddhdev
More information about the dns-operations
mailing list