[Opendnssec-develop] Domain transfers under DNSSEC
Olaf Kolkman
olaf at NLnetLabs.nl
Mon Dec 8 14:59:51 UTC 2008
On Dec 5, 2008, at 12:13 PM, Roy Arends wrote:
>
> This assumes that the transferring parties are highly cooperative,
> which
> is not the general case. When 'hostile' parties transfer a domain,
> it will
> probably fall back to unsigned (ie. no DS record at parent).
Or two DSs at the parents: the old and the new one. Only the new NS-es.
Note that if the uncooperative party puts a long TTL on both the NS
and the security records a client may be retrieving old records for a
very long time. In that case the new party may actually force
validation failure for the old parties. Depending on how much harm the
old party does.
--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081208/a9c7d4a5/attachment.bin>
More information about the Opendnssec-develop
mailing list