[dns-operations] DNSSEC: Needs for zone transitions to Insecure

Florian Weimer fw at deneb.enyo.de
Fri Mar 20 19:50:00 UTC 2015

* Patrik Fältström:

>> On 20 Mar 2015, at 07:33, Florian Weimer <fw at deneb.enyo.de> wrote:
>> Are there still situations where a zone owner may have to transition
>> the zone to Insecure temporarily to keep it available (or make it
>> available again)?  What about transfers between registrars?
>> Are there zone signing mistakes which may need this step?
> With my experience as a dns hosting entity, that is also a registrar, I have a few comments.
> - There is always a reason why DNS Hosting Provider and/or Registrar
> is changed. Most of the time because the old party "did not do their
> job". So most of the time something is already broken in the old
> setup.

There are also totally benign reasons, like cleanup after M&A or
the regular switching of vendors.

Overall, these are probably lost in the noise, but on my end, I'm
particularly interested in those.

> I.e. I see people today in most cases "just do the move" and either
> just ignore the issue, or they set the zone to be insecure. In
> Sweden with high percentage of validation, taking zone unsigned is
> quite normal in the cases where it is easy/possible to do so at the
> donating registrar/dns hosting provider.

Ah, interesting.  Thanks for sharing.

More information about the dns-operations mailing list