[dns-operations] Switching DNSSEC uncooperative operator - help, please
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 4 22:07:43 UTC 2019
On Mon, Mar 04, 2019 at 09:54:41PM +0000, Wessels, Duane wrote:
> > On Mar 4, 2019, at 12:34 PM, James Stevens <james.stevens at jrcs.co.uk> wrote:
> >
> > wait >24 hrs then switch all NS (parent & zone),
>
> It sounds like you swapped out the NS records all at once? Is that a
> requirement? What if you gradually introduce new NS?
That would probably make things worse when the two providers use
disjoin DNSKEY RRsets.
Switching algorithms and the same time as cutting over the keys
could exacerbate the problem. Ideally, the same set of algorithms
is in use on both sides of the cutover.
--
Viktor.
More information about the dns-operations
mailing list