[Opendnssec-user] general question regarding DNSSEC
Dick Visser
visser at terena.org
Mon Feb 6 11:35:50 UTC 2017
Hi
I've got a generic question regards DNSSEC.
What is the proper sequence of steps for going unsigned with a domain
that is currently properly signed?
>From the OpenDNSSEC course I remember that just removing the DS record
form the parent is enough.
Just make sure to keep serving the other bits such as RRSIG, DNSKEY etc.
Once the TTL for the DS had expired and nobody should have a DS record
anymore, then it's is safe to stop publishing RRSIGs, DNSKEY etc.
I couldn't find any concise information on this topic...
Many thanks
Dick
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: http://www.geant.org/jobs
More information about the Opendnssec-user
mailing list