Throw a forced algorithm change in on top where neither provider is willing to sign with the other providers algorithm.
-- Mark Andrews > On 2 Mar 2021, at 06:55, Havard Eidnes <he=40uninett...@dmarc.ietf.org> wrote: > > >> >> - Switching providers while staying secure requires >> inter-provider cooperation, including publishing ZSKs from >> both providers in the DNSKEY RRSET served by both providers. > > What? > > Maybe I just don't understand the context or conditions here, but > ... > > Isn't it possible to stand up a new signing and publishing setup > with new ZSKs and new KSKs, and have both the old DS record > pointing to the old setup's KSK and a new DS record pointing to > the KSK of the new setup registered in the parent zone, and then > change the actual delegation (NS records), while still retaining > both the two DS records for a while until the data from the old > setup has timed out? > > There is then no need to share the secret part of the KSKs or the > ZSKs between the old and the new providers, or to include both > the new and the old ZSKs in the zone. > > Regards, > > - Håvard > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
