[dns-operations] geant.org dnssec

Antoin Verschuren dns at antoin.nl
Tue Feb 7 12:53:49 UTC 2017


Op 6 feb. 2017, om 17:08 heeft Dick Visser <dnmvisser at gmail.com> het volgende geschreven:

> To avoid any DNSSEC issues, we want to go unsigned before we change anything.
> And to my knowledge this is achieved by stop publishing a DS record in
> the parent zone.

You could better follow this approach, which will prevent DNSSEC breakage and going insecure altogether:

https://www.ietf.org/archive/id/draft-koch-dnsop-dnssec-operator-change-06.txt

I believe the soon to be published EPP extension is even supported by TransIP, so they know how to import your new key:

https://www.ietf.org/id/draft-ietf-eppext-keyrelay-12.txt

It’s been successfully used in production with a number of .nl domains that do NSEC3 as well.
I’d say thats a safer alternative than going insecure.

- --
Antoin Verschuren

Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170207/96d4581a/attachment.sig>


More information about the dns-operations mailing list