[dns-operations] Switching DNSSEC uncooperative operator - help, please

Daniel Griggs daniel at internetnz.net.nz
Mon Mar 4 22:24:51 UTC 2019


On Tue, 5 Mar 2019 at 10:12, Anthony Eden <anthony.eden at dnsimple.com> wrote:

> If so then having both provider's DS records and changing the delegation
> should work, but you probably want to leave the old DS record present
> longer before removing it. We are leaving old DS records a minimum of 48
> hours (for example, when removing DNSSEC, and longer when we rotate keys,
> but that's more to give customers more time to add the DS where automation
> isn't possible).
>
>
Are you sure that will work?

I would have thought during the cut over an attempt of validation of
records provided by the new provider, by previously looked up and cached
DNSKEY set would fail. I think the minimum for a (safe) cut over would be
DS records from both providers and cross signed ZSKs.

-- 
Daniel Griggs
Systems Administrator
InternetNZ

Mobile: +64 27 448 8230
Email: daniel at internetnz.net.nz

For a better world through a better Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190305/2a45bb64/attachment.html>


More information about the dns-operations mailing list