[Opendnssec-develop] Domain transfers under DNSSEC

Olaf Kolkman olaf at NLnetLabs.nl
Mon Dec 8 14:59:51 UTC 2008

On Dec 5, 2008, at 12:13 PM, Roy Arends wrote:

> This assumes that the transferring parties are highly cooperative,  
> which
> is not the general case. When 'hostile' parties transfer a domain,  
> it will
> probably fall back to unsigned (ie. no DS record at parent).

Or two DSs at the parents: the old and the new one. Only the new NS-es.

Note that if the uncooperative party puts a long TTL on both the NS  
and the security records a client may be retrieving old records for a  
very long time. In that case the new party may actually force  
validation failure for the old parties. Depending on how much harm the  
old party does.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081208/a9c7d4a5/attachment.bin>

More information about the Opendnssec-develop mailing list