[dns-operations] Advice sought: moving delegations into child zones

Peter Koch pk at DENIC.DE
Sat Mar 19 21:02:51 UTC 2011

Hi Anand,

> There's a delegation in it, of the form:
> a.p	NS	ns1.example.com.
> 	NS	ns2.example.com.
> There's also an RRSIG for this RRset, because Z is signed. However, none
> of a.p is not signed.

not sure I read this correctly, but Z won't have an RRSIG for the a.p.Z
NS RRSet since it's a delegation.  Now, is a.p signed, in which case the
RRSIG comes from the child, or not?

> 1. Create unsigned zone p.Z
> 2. Create delegation for a.p.Z in it
> 3. Ask operator of Z to remove delegation for a.p.Z and replace with
> delegation for p.Z
> 4. Wait for $TTL so that RRSIGs for a.p.Z (from Z) expire
> 5. Sign p.Z
> Is this a reasonable approach?

Step 4 probably isn't necessary provided the NS RRSet for a.p.Z remains
stable and a.p.Z isn't signed (see above).
The only remaining caveat would be the absence proof for the DS for p.Z.
Assuming you're using NSEC instead of NSEC3, I'd make sure there is an NSEC RR
for p.Z with the DS bit cleared in advance, i.e. instantiate the empty non
terminal (or ask the maintainer of Z to do it).


More information about the dns-operations mailing list