> On 25 Feb 2021, at 09:13, Ben Schwartz <bem...@google.com> wrote: > > > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews <ma...@isc.org> wrote: > > > > On 25 Feb 2021, at 02:01, Ulrich Wisser <ulrich=40wisser...@dmarc.ietf.org> > > wrote: > ... > > At the current state of dnssec RFC definitions it is unclear how you could > > change DNS operators securely if these operators do not sign the zone with > > the same algorithm. > > You can’t do that as the logic doesn’t allow it. Perform algorithm roles to > and from mandatory to implement algorithms before and after the move if > necessary. > > What if you set all TTLs to zero on both sides until the transition is > complete?
You still can’t do it. You need to publish simultaneous DS records for the loosing and gaining zones. Zone transfers take time. The DNS is loosely coherent. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
