[dns-operations] DNSSEC transition

Hugo Salgado hsalgado at nic.cl
Mon Jan 23 14:35:58 UTC 2023


On 21:22 20/01, Rubens Kuhl via dns-operations wrote:
> 
> Simple way is to remove the DS from the parent, wait for the DS TTL to be over, and then change the delegation at the parent domain. But this makes the change to wait for that DS TTL. 
> 
> I wonder if there is a way to make this transition to happen faster from an outside POV, even if under the hood there is still work in progress during the DS TTL. Is there a way to tell "hey, 
> DNSSEC is longer available to this domain, and I can prove that with RRSIG record" that resolvers would trust ? Because other than that, the next option would be to act as a recursor querying the new name servers, and on the fly signing the responses. 
> 

The authoritative server could add an NSEC/3 in the authority
section along the NS set, without the DS bit in the type map, as
evidence.

A resolver could trust it or make another DS query, but it needs
to synchronize an NS change with its DS record.

Hugo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230123/c88de0fd/attachment.sig>


More information about the dns-operations mailing list