[dnssec-deployment] How does it work?
Olafur Gudmundsson
ogud at ogud.com
Wed Jun 24 17:40:20 EDT 2009
At 16:52 24/06/2009, Edward Lewis wrote:
>At 19:42 +0200 6/24/09, Patrik Wallstrom wrote:
>
>>1.2) The transfer goes to a registrar that also signs all of their domains.
>
>>So the real problem here is 1.2 - the transition period from going to a set
>>of namervers with one key to another set of nameservers with another key.
>
>Wouldn't allowing multiple DS records (at the TLD) solve this? I
>mean, if the gaining entity pre-generates the keys for the
>registrant (giving the DS record to the registrant), the registrant
>can request the addition of the new DS record before the transfer.
Having DS records pointing to the KSK's for the new DNS operators
(whoever they are) is a necessary precondition but not a sufficient one.
BOTH DNS operators must include the ZSK of the other into their DNSKEY set.
Before the switch the OLD DS set (and the OLD DNSKEY set) must have
timed out in ALL caches.
The corner case we still need to deal with are:
old DNSKEY
new RRSIG
and
new DNSKEY
old RRSIG
An alternative if we allow SHORT outage is to have loosing DNS Operator
shorten the DNSKEY TTL to a small value but that will lead to temporary
outages, in particular if the validator (it its resolver) is stuck
on the old DNS operator.
The other change we are advocating when DNS service is transferred is that
the prior DNS operator MUST stop serving up the data when told to.
Olafur
More information about the Dnssec-deployment
mailing list