> - Switching providers while staying secure requires > inter-provider cooperation, including publishing ZSKs from > both providers in the DNSKEY RRSET served by both providers.
What? Maybe I just don't understand the context or conditions here, but ... Isn't it possible to stand up a new signing and publishing setup with new ZSKs and new KSKs, and have both the old DS record pointing to the old setup's KSK and a new DS record pointing to the KSK of the new setup registered in the parent zone, and then change the actual delegation (NS records), while still retaining both the two DS records for a while until the data from the old setup has timed out? There is then no need to share the secret part of the KSKs or the ZSKs between the old and the new providers, or to include both the new and the old ZSKs in the zone. Regards, - HÃ¥vard _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
