Hi Ben,
Dne 25. 02. 21 v 1:50 Ben Schwartz napsal(a):
On Wed, Feb 24, 2021 at 6:57 PM Brian Dickson
<brian.peter.dick...@gmail.com <mailto:brian.peter.dick...@gmail.com>>
wrote:
That's not possible. The DS records are on the parent side (TLD)
and the TTL is set by the TLD per whatever their standard policy
is. Same for RRSIGs over those DS records.
That's fine. I meant the TTLs of the ZSKs and zone contents.
Switching from provider A to provider B, the sequence would be
1. Set all TTLs in the zone to zero
2. Wait
3. Copy zone to provider B
4. Add DS for B's keys to the parent
This wouldn't work as well. The resolver would see two DSs with
different algorithms at the parent zone, but only one (pair of) DNSKEYs
with single algorithm, whichever provider of your zone it'll query.
This would violate RFC 4035: "The apex DNSKEY RRset itself MUST be
signed by each algorithm appearing in the DS RRset located at the
delegating parent (if any)."
5. Wait
6. Add B's NS to the parent
7. Remove A's NS from the parent
8. Wait
9. Remove DS for A's keys from the parent
10. Set zone TTLs to > 0
IMHO, performing an algorithm rollover while switching DNSSEC providers
is indeed difficult, if possible at all. Even the lax validation doesn't
help much.
However, performing an algorithm rollover normally isn't that hard using
proper tooling, so I don't think we should continue to justify lax
validation only in order to encourage signers to switch from using
obsolete algorithms.
Libor
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
