[dns-operations] DNSSEC: Needs for zone transitions to Insecure
Florian Weimer
fw at deneb.enyo.de
Fri Mar 20 19:50:00 UTC 2015
* Patrik Fältström:
>> On 20 Mar 2015, at 07:33, Florian Weimer <fw at deneb.enyo.de> wrote:
>>
>> Are there still situations where a zone owner may have to transition
>> the zone to Insecure temporarily to keep it available (or make it
>> available again)? What about transfers between registrars?
>>
>> Are there zone signing mistakes which may need this step?
>
> With my experience as a dns hosting entity, that is also a registrar, I have a few comments.
>
> - There is always a reason why DNS Hosting Provider and/or Registrar
> is changed. Most of the time because the old party "did not do their
> job". So most of the time something is already broken in the old
> setup.
There are also totally benign reasons, like cleanup after M&A or
the regular switching of vendors.
Overall, these are probably lost in the noise, but on my end, I'm
particularly interested in those.
> I.e. I see people today in most cases "just do the move" and either
> just ignore the issue, or they set the zone to be insecure. In
> Sweden with high percentage of validation, taking zone unsigned is
> quite normal in the cases where it is easy/possible to do so at the
> donating registrar/dns hosting provider.
Ah, interesting. Thanks for sharing.
More information about the dns-operations
mailing list