Discussion:
[Opendnssec-user] general question regarding DNSSEC
Dick Visser
2017-02-06 11:35:50 UTC
Permalink
Hi

I've got a generic question regards DNSSEC.
What is the proper sequence of steps for going unsigned with a domain
that is currently properly signed?

From the OpenDNSSEC course I remember that just removing the DS record
form the parent is enough.
Just make sure to keep serving the other bits such as RRSIG, DNSKEY etc.
Once the TTL for the DS had expired and nobody should have a DS record
anymore, then it's is safe to stop publishing RRSIGs, DNSKEY etc.

I couldn't find any concise information on this topic...

Many thanks

Dick
--
Dick Visser
Sr. System & Network Engineer
GÉANT

Want to join us? We're hiring: http://www.geant.org/jobs
Yuri Schaeffer
2017-02-06 11:54:36 UTC
Permalink
Hi Dick,
Post by Dick Visser
I've got a generic question regards DNSSEC.
What is the proper sequence of steps for going unsigned with a domain
that is currently properly signed?
In case you are currently using OpenDNSSEC 2.0 you can tell it to stop
signing a zone and it will take care of the timings for you.

https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-StopusingDNSSECforazone
Post by Dick Visser
From the OpenDNSSEC course I remember that just removing the DS record
form the parent is enough.
Just make sure to keep serving the other bits such as RRSIG, DNSKEY etc.
Once the TTL for the DS had expired and nobody should have a DS record
anymore, then it's is safe to stop publishing RRSIGs, DNSKEY etc.
Indeed. And that is what you should do if you are running OpenDNSSEC 1.4.

- remove all DS records from the parent
- wait at least the TTL that was on the DS record.
- Swap your signed zone for the unsigned version / remove it from ODS etc

//Yuri

Loading...