[Opendnssec-user] general question regarding DNSSEC

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Feb 6 11:54:36 UTC 2017


Hi Dick,

> I've got a generic question regards DNSSEC.
> What is the proper sequence of steps for going unsigned with a domain
> that is currently properly signed?

In case you are currently using OpenDNSSEC 2.0 you can tell it to stop
signing a zone and it will take care of the timings for you.

https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-StopusingDNSSECforazone

> From the OpenDNSSEC course I remember that just removing the DS record
> form the parent is enough.
> Just make sure to keep serving the other bits such as RRSIG, DNSKEY etc.
> Once the TTL for the DS had expired and nobody should have a DS record
> anymore, then it's is safe to stop publishing RRSIGs, DNSKEY etc.

Indeed. And that is what you should do if you are running OpenDNSSEC 1.4.

- remove all DS records from the parent
- wait at least the TTL that was on the DS record.
- Swap your signed zone for the unsigned version / remove it from ODS etc

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170206/4508652a/attachment.bin>


More information about the Opendnssec-user mailing list