[dns-operations] root? we don't need no stinkin' root!

Paul Ebersman list-dns-operations at dragon.net
Wed Dec 11 16:26:11 UTC 2019

jreid> In principle, they could all change at once, In reality, they
jreid> don't.

dot> But they do. Vanuatu did yesterday, and I mentioned some other
dot> recent examples in this thread a couple of weeks ago:
dot> https://lists.dns-oarc.net/pipermail/dns-operations/2019-November/019486.html

Yup. Especially with DNSSEC, where a mix and match of signatures is a
complete nightmare, it's actually cleaner to have dual DS, both sets of
keys in both providers' zones but only one set of NS in the parent, not
mix and match.

See Shumon's draft on multiprovider. It will make your eyes bleed but is
so far the cleanest way we've found of doing provider changes too.

More information about the dns-operations mailing list