DNSSEC transition

rubensk at nic.br rubensk at nic.br
Sat Jan 21 00:22:34 UTC 2023


HI there. 

I am considering a DNSSEC transition in the following scenario:

- Org 1 operates both the parent domain, with a delegation-only server, and the child domain, with a set of authoritative servers. A zone cut is present. 
- Org 2 operates only authoritative servers 
- Child domain is currently signed by Org 1, with a DS record matching DNSKEY and RRSIGs served by the authoritative servers.
- Child domain is moving from the authoritative servers of Org 1 to the authoritative servers of Org 2. Org 1 will keep running the parent domain. 
- Org 2 will now run the child domain, with no DNSSEC

Simple way is to remove the DS from the parent, wait for the DS TTL to be over, and then change the delegation at the parent domain. But this makes the change to wait for that DS TTL. 

I wonder if there is a way to make this transition to happen faster from an outside POV, even if under the hood there is still work in progress during the DS TTL. Is there a way to tell "hey, 
DNSSEC is longer available to this domain, and I can prove that with RRSIG record" that resolvers would trust ? Because other than that, the next option would be to act as a recursor querying the new name servers, and on the fly signing the responses. 




Rubens








More information about the dns-operations mailing list