[dns-operations] DNSSEC: Needs for zone transitions to Insecure

Patrik Fältström paf at frobbit.se
Fri Mar 20 09:46:53 UTC 2015

> On 20 Mar 2015, at 07:33, Florian Weimer <fw at deneb.enyo.de> wrote:
> Are there still situations where a zone owner may have to transition
> the zone to Insecure temporarily to keep it available (or make it
> available again)?  What about transfers between registrars?
> Are there zone signing mistakes which may need this step?

With my experience as a dns hosting entity, that is also a registrar, I have a few comments.

- There is always a reason why DNS Hosting Provider and/or Registrar is changed. Most of the time because the old party "did not do their job". So most of the time something is already broken in the old setup.

- Change of DNS hosting is hard, and it is hard even before we started to use DNSSEC. Registrant have no idea what the zone looks like, and as a receiving DNS Hosting provider even get the zone is hard.

- Lowering TTL "all over the place" and "just publishing" the new zone on new NS is in reality what I see people do, and that would work even better if TTL on the DS (and NS) in parent could be short during the time of the planned change.

I.e. I see people today in most cases "just do the move" and either just ignore the issue, or they set the zone to be insecure. In Sweden with high percentage of validation, taking zone unsigned is quite normal in the cases where it is easy/possible to do so at the donating registrar/dns hosting provider.


More information about the dns-operations mailing list