[GNSO-TPR] Concurrent changes; transfer of DNS service

Tue May 18 15:06:49 UTC 2021

Hi Lutz and everyone,

Thank you for checking about protocol for alternates on the mailing list. This is a good moment to remind everyone -- members may contribute on the mailing list at any time. Alternates may only contribute on the mailing list if they are acting as a designated substitute for a member. If they are not "standing in" for a member who is absent, they should refrain from commenting. Thanks in advance for being mindful of this. If there are any questions, please feel free to ask.

Kind regards,
Emily

On 18/05/2021, 16:21, "GNSO-TPR on behalf of Lutz Donnerhacke" <gnso-tpr-bounces at icann.org on behalf of lutz at donnerhacke.de> wrote:

    On Tue, May 18, 2021 at 09:38:02AM -0400, Steve Crocker wrote:
    > I'd be very interested in how you transfer a DNSSEC signed zone without
    > incurring any disruption of either resolution or validation.  Perhaps best
    > if we take this offline.

    If we are out of scope, please let me (as an alternate) add some notes.

    Current minimal policy requirement is, that the gaining registrar is able to
    delete the DNSSEC information from the registry.  So this procedure is
    possible:
     1) Transfer the registry permissions to the gaining registrar.
     2) Delete the DNSSEC (DS) data at the registry.
     3) Wait (policy must exist, the the old NS must not be disconnected)
     4) Set new name server glue at the registry.
     5) Losing name server operator ends the service.
    This way the losing registrar is not required to do anyhing.

    If the gaining registrar is able to operate with DNSSEC, a different method
    can be used:
     1) Transfer the registry permissions to the gaining registrar.
     2) Add new DNSSEC (DS) data without delete the existing one at the registry.
     3) Wait (policy must exist, the the old NS must not be disconnected)
     4) Set new name server glue at the registry.
     5) Losing name server operator ends the service.
     6) Remove old DNSSEC (DS) data without delete the new one at the registry.
    This way the losing registrar is not required to do anyhing.

    If there is no policy to upheld the name server operations after the
    transfer, some early activities are necessary:
     1) The losing registrar receives new DNSSEC (DS) data from the gaining name
        server operator via the registrant.
     2) The losing registrar adds the new DNSSEC (DS) data in addition to the
        old one at the registry.
     3) Wait
     4) Transfer the registry permissions to the gaining registrar.
     6) Gaining registrar sets new name server glue and removes old DS records
        at the registry.
     7) Losing name server operator ends the service.
    Here we only need a policy, that the losing registrar is required to add an
    additional DNSSEC record when handing out an authinfo code.

    If we do not have any of those policies, the service will be disrupted
    during the transfer.
    _______________________________________________
    GNSO-TPR mailing list
    GNSO-TPR at icann.org
    https://mm.icann.org/mailman/listinfo/gnso-tpr