[dns-operations] slack.com bogus
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 30 22:29:26 UTC 2021
> On 30 Sep 2021, at 6:22 pm, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
>
>> Pity this did not go smoothly for them, a premature rollout can be mildly
>> inconvenient, but then yanking the DS RRs was definitely a bad call.
>
> Yanking a DS does not break domains. Yanking DNSKEY+RRSIG before the DS
> is expired breaks domains. If there was a bad call (which we can't know
> from our back seats), yanking the DS was not it.
Sorry about the fuzzy description, yes I know the issue was yanking the
DNSKEYs (actually both DNSKEYs and DS at the same time).
It is far from clear why one would decide to do that, and why one would
not quickly resign and push the zone to reduce the impact.
--
Viktor.
More information about the dns-operations
mailing list