[dns-operations] Cutting a zone with DNSSEC

Tony Finch dot at dotat.at
Thu Oct 22 13:29:32 UTC 2015


Mark Andrews <marka at isc.org> wrote:
>

Thanks for the advice. The zone surgery went well :-)

> Method 1:
> Just lower the ttl of all responses for the namespace being
> delegated including negative ones.  This ttl is the potential
> validation failure blip. e.g. 30-60 seconds

Presumably that assumes you have fast authoritative propagation.
(We do, so this worked well for us.)

I guess that if you have slow authoritative servers then you would have to
do the signature juggling you outlined below. I don't think that would be
fun at all :-)

> Method 2:
>
> Lower the negative ttl.
>
> Copy the data from the namespace to the child zone to be.
>
> Sign the child zone.
>
> Add the signatures from the child zone to the parent zone.
> Add the signatures from the parent zone to the child zone.
>
> This way both zone will be serving the same sets of signatures.
>
> Serve the child zone on different servers if possible.
> Introduce the zone cut and re-sign the delegation point.
> (If you using the same servers combine these as best as
> possible)
>
> Wait for the ttls to expire and clean up the copied ttls
> and occulted data.
>
> In both methods it is important to lower the negative ttls to
> minimize disruption.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty, Forth: West or southwest 7 to severe gale 9, decreasing 5
or 6 later. Rough or very rough, becoming high for a time in north Forties.
Showers at first. Moderate or good.



More information about the dns-operations mailing list