[dns-operations] DNSSEC transition

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jan 21 03:16:02 UTC 2023 

On Fri, Jan 20, 2023 at 09:22:34PM -0300, Rubens Kuhl via dns-operations wrote:

> I am considering a DNSSEC transition in the following scenario:
> 
> - Org 1 operates both the parent domain, with a delegation-only
>   server, and the child domain, with a set of authoritative servers. A
>   zone cut is present. 
> - Org 2 operates only authoritative servers 
> - Child domain is currently signed by Org 1, with a DS record matching
>   DNSKEY and RRSIGs served by the authoritative servers.
> - Child domain is moving from the authoritative servers of Org 1 to
>   the authoritative servers of Org 2. Org 1 will keep running the parent
>   domain. 
> - Org 2 will now run the child domain, with no DNSSEC

What does "with no DNSSEC" mean?  Does it mean they can't serve an
already signed zone, in which the RRSIG expirations are far enough
in the future to outlive the DS TTL?  So long as the nameserver S/W
in question is capable of returning DNSSEC-signed responses, the
new operator does not actually need to introduce new keys or sign
the zone beyond the current lifetime of the extant RRSIGs.

> Simple way is to remove the DS from the parent, wait for the DS TTL to
> be over, and then change the delegation at the parent domain. But this
> makes the change to wait for that DS TTL. 

If the new operator's nameservers have no support for serving a
pre-signed zone, then I am not aware of any alternatives.  While the DS
RRset persists in remote caches it signals a signed delegation, and the
child domain has to be signed by a corresponding KSK.

> I wonder if there is a way to make this transition to happen faster
> from an outside POV, even if under the hood there is still work in
> progress during the DS TTL. Is there a way to tell "hey, DNSSEC is
> [no] longer available to this domain, and I can prove that with RRSIG
> record" that resolvers would trust?

No.

> Because other than that, the next option would be to act as a recursor
> querying the new name servers, and on the fly signing the responses. 

Why not just drop the DS now, and do the transfer *after* the DS expires
from caches?  While we're contemplating the question, the DS could
already be removed and aging out.

-- 
    Viktor.

More information about the dns-operations mailing list