[GNSO-TPR] Concurrent changes; transfer of DNS service

Lutz Donnerhacke lutz at donnerhacke.de
Tue May 18 14:20:52 UTC 2021 

On Tue, May 18, 2021 at 09:38:02AM -0400, Steve Crocker wrote:
> I'd be very interested in how you transfer a DNSSEC signed zone without
> incurring any disruption of either resolution or validation.  Perhaps best
> if we take this offline.

If we are out of scope, please let me (as an alternate) add some notes.

Current minimal policy requirement is, that the gaining registrar is able to
delete the DNSSEC information from the registry.  So this procedure is
possible:
 1) Transfer the registry permissions to the gaining registrar.
 2) Delete the DNSSEC (DS) data at the registry.
 3) Wait (policy must exist, the the old NS must not be disconnected)
 4) Set new name server glue at the registry.
 5) Losing name server operator ends the service.
This way the losing registrar is not required to do anyhing.

If the gaining registrar is able to operate with DNSSEC, a different method
can be used:
 1) Transfer the registry permissions to the gaining registrar.
 2) Add new DNSSEC (DS) data without delete the existing one at the registry.
 3) Wait (policy must exist, the the old NS must not be disconnected)
 4) Set new name server glue at the registry.
 5) Losing name server operator ends the service.
 6) Remove old DNSSEC (DS) data without delete the new one at the registry.
This way the losing registrar is not required to do anyhing.

If there is no policy to upheld the name server operations after the
transfer, some early activities are necessary:
 1) The losing registrar receives new DNSSEC (DS) data from the gaining name
    server operator via the registrant.
 2) The losing registrar adds the new DNSSEC (DS) data in addition to the
    old one at the registry.
 3) Wait
 4) Transfer the registry permissions to the gaining registrar.
 6) Gaining registrar sets new name server glue and removes old DS records
    at the registry.
 7) Losing name server operator ends the service.
Here we only need a policy, that the losing registrar is required to add an
additional DNSSEC record when handing out an authinfo code.

If we do not have any of those policies, the service will be disrupted
during the transfer.

More information about the GNSO-TPR mailing list