[dns-operations] Cutting a zone with DNSSEC

Mark Andrews marka at isc.org
Thu Oct 22 21:36:09 UTC 2015

In message <alpine.LSU.2.00.1510221425080.959 at hermes-2.csi.cam.ac.uk>, Tony Finch writes:
> Mark Andrews <marka at isc.org> wrote:
> >
> Thanks for the advice. The zone surgery went well :-)
> > Method 1:
> > Just lower the ttl of all responses for the namespace being
> > delegated including negative ones.  This ttl is the potential
> > validation failure blip. e.g. 30-60 seconds
> Presumably that assumes you have fast authoritative propagation.
> (We do, so this worked well for us.)
> I guess that if you have slow authoritative servers then you would have to
> do the signature juggling you outlined below. I don't think that would be
> fun at all :-)

No.  The validator should try other servers if the validation fails.
It just does more work until all the servers are up to date.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list