1. I assume example.com is signed.
2. I don't understand why you can't just remove the NS records and fold the
foo.bar.example.com data in.
3. After some interval of TTL, you can delete the DS records.
If bar.example.com is served by the same server (I assume not: because if it
was, why would
TL;DR Don't do this. It is not going to work as the origin of the RRSIG would
different.
gitlab.isc.org. 7200 IN A 52.201.58.154
gitlab.isc.org. 7200 IN RRSIG A 13 3 7200 (
20241222045850 20241208044609 27566 isc.org.
Just an idea, but what if you copy the current ZSK key files from the
example.com zone and rename the files (i.e. add “bar” into the filenames) so it
will be picked up by the bar.example.com zone? In theory that should populate
bar.example.com with the correct RRSIG records prior to removing the
>From what Ondřej says, if you can temporarily move the bar.example.com zone
to a different set of nameservers, that would be much safer. Then you add
the new records and remove the NS delegation of bar from the example.com
zone, and wait for TTL's to expire. I would also turn down the TTL's
ever
Hello Chris.
My take is that the *will* be some sort of breakage even if you do
everything right with shortest possible TTLs - because this is the DNS,
eventually consistent by design, and wildly misimplemented in practice.
So don't feel bad when some breakage occurs :-) It will very much depe
Chris, that depends whether both are on the same nameservers or not. If not then you can just fold first and then wait out the TTLs. If yes then it can get hairy and I would suggest to reduce the TTL on the delegation records to some small number (in the order of minutes). Perhaps also reduce TTL o
6 matches
Mail list logo
