[dns-operations] Switching DNSSEC uncooperative operator - help, please

Matthew Pounsett matt at conundrum.com
Mon Mar 4 23:07:24 UTC 2019

On Mon, 4 Mar 2019 at 17:37, James Stevens <james.stevens at jrcs.co.uk> wrote:

> > What if you gradually introduce new NS?
> Gradually switching NS isn't a problem - I though a sudden switch over
> would be better. Happy to give it a go.

A sudden switchover of NS records should be fine, but you'll want to leave
the old DS there for 2xMAX TTL longer than you leave the old NS records.
The problem being that at the time you cutover the NS records, there may be
resolvers which have just cached the old NS records and will continue to
look up records at the old provider ... including getting (and re-caching)
the old DNSKEYs.

You need to leave time for the old NS records to expire, and then the old
DNSKEYs to expire (sequentially, not concurrently) before removing the old
DS records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190304/7175d308/attachment.html>

More information about the dns-operations mailing list