[dns-operations] Switching DNSSEC uncooperative operator - help, please
daniel at internetnz.net.nz
Mon Mar 4 22:24:51 UTC 2019
On Tue, 5 Mar 2019 at 10:12, Anthony Eden <anthony.eden at dnsimple.com> wrote:
> If so then having both provider's DS records and changing the delegation
> should work, but you probably want to leave the old DS record present
> longer before removing it. We are leaving old DS records a minimum of 48
> hours (for example, when removing DNSSEC, and longer when we rotate keys,
> but that's more to give customers more time to add the DS where automation
> isn't possible).
Are you sure that will work?
I would have thought during the cut over an attempt of validation of
records provided by the new provider, by previously looked up and cached
DNSKEY set would fail. I think the minimum for a (safe) cut over would be
DS records from both providers and cross signed ZSKs.
Mobile: +64 27 448 8230
Email: daniel at internetnz.net.nz
For a better world through a better Internet
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations