[dns-operations] Cutting a zone with DNSSEC

Tony Finch dot at dotat.at
Thu Oct 22 13:29:32 UTC 2015

Mark Andrews <marka at isc.org> wrote:

Thanks for the advice. The zone surgery went well :-)

> Method 1:
> Just lower the ttl of all responses for the namespace being
> delegated including negative ones.  This ttl is the potential
> validation failure blip. e.g. 30-60 seconds

Presumably that assumes you have fast authoritative propagation.
(We do, so this worked well for us.)

I guess that if you have slow authoritative servers then you would have to
do the signature juggling you outlined below. I don't think that would be
fun at all :-)

> Method 2:
> Lower the negative ttl.
> Copy the data from the namespace to the child zone to be.
> Sign the child zone.
> Add the signatures from the child zone to the parent zone.
> Add the signatures from the parent zone to the child zone.
> This way both zone will be serving the same sets of signatures.
> Serve the child zone on different servers if possible.
> Introduce the zone cut and re-sign the delegation point.
> (If you using the same servers combine these as best as
> possible)
> Wait for the ttls to expire and clean up the copied ttls
> and occulted data.
> In both methods it is important to lower the negative ttls to
> minimize disruption.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty, Forth: West or southwest 7 to severe gale 9, decreasing 5
or 6 later. Rough or very rough, becoming high for a time in north Forties.
Showers at first. Moderate or good.

More information about the dns-operations mailing list