Miek Gieben <m...@miek.nl> wrote: > > > There is a simpler procedure for change of operator, which only requires > > operators to be able to import extra DNSKEY RRs - the same for both the > > old and the new operator. It does not require cross-signing as described > > in rfc4641bis, and it does not require either operator to host NS records > > pointing at a competitor. > > Isn't this? > https://tools.ietf.org/html/draft-koch-dnsop-dnssec-operator-change-04 > Section 3.1
Er, yes, thanks for reminding me that I should have read that document. A few differences: That draft makes the excellent point that you only need to copy the ZSK DNSKEY RRs between the old and new versions of the zone - there's no need to copy the KSK too. It also considers the TTLs more carefully than I did. And it proposes to use the registry to transfer the new DNSKEY RR to the old operator, whereas I was thinking that the domain owner would do it, either via the operators' web interfaces or via an API etc. This has the advantage that the same functionality provided by the operators (adding DNSKEY records without private keys) is useful for gaining customers not just for losing them - better security economics. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
