On Wed, Feb 24, 2021 at 2:14 PM Ben Schwartz <bemasc= 40google....@dmarc.ietf.org> wrote:
> > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews <ma...@isc.org> wrote: > >> >> >> > On 25 Feb 2021, at 02:01, Ulrich Wisser <ulrich= >> 40wisser...@dmarc.ietf.org> wrote: >> > ... > >> > At the current state of dnssec RFC definitions it is unclear how you >> could change DNS operators securely if these operators do not sign the zone >> with the same algorithm. >> >> You can’t do that as the logic doesn’t allow it. Perform algorithm roles >> to and from mandatory to implement algorithms before and after the move if >> necessary. >> > > What if you set all TTLs to zero on both sides until the transition is > complete? > That's not possible. The DS records are on the parent side (TLD) and the TTL is set by the TLD per whatever their standard policy is. Same for RRSIGs over those DS records. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
