[dns-operations] geant.org dnssec
Antoin Verschuren
dns at antoin.nl
Tue Feb 7 12:53:49 UTC 2017
Op 6 feb. 2017, om 17:08 heeft Dick Visser <dnmvisser at gmail.com> het volgende geschreven:
> To avoid any DNSSEC issues, we want to go unsigned before we change anything.
> And to my knowledge this is achieved by stop publishing a DS record in
> the parent zone.
You could better follow this approach, which will prevent DNSSEC breakage and going insecure altogether:
https://www.ietf.org/archive/id/draft-koch-dnsop-dnssec-operator-change-06.txt
I believe the soon to be published EPP extension is even supported by TransIP, so they know how to import your new key:
https://www.ietf.org/id/draft-ietf-eppext-keyrelay-12.txt
It’s been successfully used in production with a number of .nl domains that do NSEC3 as well.
I’d say thats a safer alternative than going insecure.
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170207/96d4581a/attachment.sig>
More information about the dns-operations
mailing list