[GNSO-TPR] Concurrent changes; transfer of DNS service

Steve Crocker steve at shinkuro.com
Tue May 18 15:09:27 UTC 2021


Lutz,

Thanks for the detailed set of steps.  With respect to the middle scenario,
it's not sufficient to add the new DS record to the registry.  The keys of
both the old and new operators have to be included in the keysets on both
sides.

On Tue, May 18, 2021 at 10:21 AM Lutz Donnerhacke <lutz at donnerhacke.de>
wrote:

> On Tue, May 18, 2021 at 09:38:02AM -0400, Steve Crocker wrote:
> > I'd be very interested in how you transfer a DNSSEC signed zone without
> > incurring any disruption of either resolution or validation.  Perhaps
> best
> > if we take this offline.
>
> If we are out of scope, please let me (as an alternate) add some notes.
>
> Current minimal policy requirement is, that the gaining registrar is able
> to
> delete the DNSSEC information from the registry.  So this procedure is
> possible:
>  1) Transfer the registry permissions to the gaining registrar.
>  2) Delete the DNSSEC (DS) data at the registry.
>  3) Wait (policy must exist, the the old NS must not be disconnected)
>  4) Set new name server glue at the registry.
>  5) Losing name server operator ends the service.
> This way the losing registrar is not required to do anyhing.
>
> If the gaining registrar is able to operate with DNSSEC, a different method
> can be used:
>  1) Transfer the registry permissions to the gaining registrar.
>  2) Add new DNSSEC (DS) data without delete the existing one at the
> registry.
>  3) Wait (policy must exist, the the old NS must not be disconnected)
>  4) Set new name server glue at the registry.
>  5) Losing name server operator ends the service.
>  6) Remove old DNSSEC (DS) data without delete the new one at the registry.
> This way the losing registrar is not required to do anyhing.
>
> If there is no policy to upheld the name server operations after the
> transfer, some early activities are necessary:
>  1) The losing registrar receives new DNSSEC (DS) data from the gaining
> name
>     server operator via the registrant.
>  2) The losing registrar adds the new DNSSEC (DS) data in addition to the
>     old one at the registry.
>  3) Wait
>  4) Transfer the registry permissions to the gaining registrar.
>  6) Gaining registrar sets new name server glue and removes old DS records
>     at the registry.
>  7) Losing name server operator ends the service.
> Here we only need a policy, that the losing registrar is required to add an
> additional DNSSEC record when handing out an authinfo code.
>
> If we do not have any of those policies, the service will be disrupted
> during the transfer.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20210518/29062978/attachment-0001.html>


More information about the GNSO-TPR mailing list