[dns-operations] Cutting a zone with DNSSEC

Mark Andrews marka at isc.org
Wed Oct 21 20:35:34 UTC 2015 

Method 1:
Just lower the ttl of all responses for the namespace being
delegated including negative ones.  This ttl is the potential
validation failure blip. e.g. 30-60 seconds 

Wait for all reponses with the original ttl to flush from the cache.

Have the child zone on different servers to the parent if possible
already signed and answering.

Introduce the zone cut and update the signatures of the parent zone.

Restore ttls to parent zone, remove oculted data you want to remove.

Method 2:

Lower the negative ttl.  

Copy the data from the namespace to the child zone to be.

Sign the child zone.

Add the signatures from the child zone to the parent zone.
Add the signatures from the parent zone to the child zone.

This way both zone will be serving the same sets of signatures.

Serve the child zone on different servers if possible.
Introduce the zone cut and re-sign the delegation point.
(If you using the same servers combine these as best as
possible)

Wait for the ttls to expire and clean up the copied ttls
and occulted data.

In both methods it is important to lower the negative ttls to
minimize disruption.

Mark

In message <alpine.LSU.2.00.1510211614080.25050 at hermes-2.csi.cam.ac.uk>, Tony F
inch writes:
> Does anyone know of any good how-to guides for cutting an existing zone
> which already has records in use below the new delegation point? I've
> written some notes on what we are doing this week (link below) but I'd
> like to hear what others have done. In particular I'm wondering about how
> tightly consistent the authoritative servers for the parent zone need to
> be. Not a problem for us, fortunately.
> 
> http://fanf.livejournal.com/138451.html
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Trafalgar: In south, cyclonic 6 to gale 8, becoming northeasterly 4 or 5. In
> north, northeasterly 5 to 7, occasionally gale 8 at first. In south, rough or
> very rough, becoming slight or moderate later. in north, rough or very rough,
> becoming slight or moderate later. In south, showers, thundery at first. In
> north, fair. In south, good, occasionally poor at first. In north, good.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list