[dnssec-deployment] How does it work?
Mark Andrews
marka at isc.org
Fri Jun 26 10:37:11 EDT 2009
In message <82skhnl6t5.fsf at mid.bfk.de>, Florian Weimer writes:
> * Mark Andrews:
>
> > The new owners generates KSK and ZSKs for each algorithm
> > in use these are added to the existing DNSKEYs. Both the
> > old and the new owners sign the DNSKEY RRset.
>
> The current contractual framewerk employed by most TLDs doesn't
> support this approach, I think.
It only requires the seller to co-operate with the buyer to make
the secure transfer happen. If the seller doesn't co-operate then
the zone go dark for some client for some period of time. This is
nothing new as it happens every day with the way transfers are done.
We the see complaints on bind-users because no one tries to ensure
that transfers are done cleanly and we end up telling people how
to clean up the messes that result.
With a little bit of co-operation no zone needs to go dark with or
without DNSSEC being involved.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list