[Opendnssec-develop] Domain transfers under DNSSEC
olaf at NLnetLabs.nl
Mon Dec 8 14:59:51 UTC 2008
On Dec 5, 2008, at 12:13 PM, Roy Arends wrote:
> This assumes that the transferring parties are highly cooperative,
> is not the general case. When 'hostile' parties transfer a domain,
> it will
> probably fall back to unsigned (ie. no DS record at parent).
Or two DSs at the parents: the old and the new one. Only the new NS-es.
Note that if the uncooperative party puts a long TTL on both the NS
and the security records a client may be retrieving old records for a
very long time. In that case the new party may actually force
validation failure for the old parties. Depending on how much harm the
old party does.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the Opendnssec-develop