[dnssec-deployment] How does it work?

[Mark Andrews]

In message <list-17782844 at execdsl.com>, Paul Wouters writes:
> On Tue, 30 Jun 2009, Ondřej Surý wrote:
> 
> > Sure, having the extra DS in the parent is not a risk. Â But keeping
> > that extra DS at the parent does not ensure that there will not be
> > validation failures. Â You still have the DNSKEY corresponding to
> > old-DS and the DNSKEY corresponding to new-DS, and all the
> > associated RRSIGs.
> 
> Wasn't this solved by just adding the old-DNSKEY to the new zone?

	The old key has to be a self signing key.  This requires
	co-operation.
 
> > But that's fortunately same as the current situation. People are used to
> > wait for caches before the transfer is complete, since it's very common
> > to transfer the domain name and change the hosting provider at the same
> > time. (At least here...)
> 
> Yes, but usually the old and new DNS provider serve the same zone, so it
> does not matter. With DNSSEC breakage, it would matter as it would cause
> downtime.
> 
> > But I guess we need to prepare some step-by-step cookbook for people and
> > registrars, like:
> 
> My experience with .nl, where it is "mandatory" (but not enforced or
> punished in anyway if you don't comply) for the losing registrar to run
> secondary to the new registrar, is that in less then 1% that actually
> works. Anything more complicated will have an even higher failure rate.
> 
> Paul
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnss
> ec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org