Hi Dick, > I've got a generic question regards DNSSEC. > What is the proper sequence of steps for going unsigned with a domain > that is currently properly signed?
In case you are currently using OpenDNSSEC 2.0 you can tell it to stop signing a zone and it will take care of the timings for you. https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-StopusingDNSSECforazone > From the OpenDNSSEC course I remember that just removing the DS record > form the parent is enough. > Just make sure to keep serving the other bits such as RRSIG, DNSKEY etc. > Once the TTL for the DS had expired and nobody should have a DS record > anymore, then it's is safe to stop publishing RRSIGs, DNSKEY etc. Indeed. And that is what you should do if you are running OpenDNSSEC 1.4. - remove all DS records from the parent - wait at least the TTL that was on the DS record. - Swap your signed zone for the unsigned version / remove it from ODS etc //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
