Hi Lutz and everyone, Thank you for checking about protocol for alternates on the mailing list. This is a good moment to remind everyone -- members may contribute on the mailing list at any time. Alternates may only contribute on the mailing list if they are acting as a designated substitute for a member. If they are not "standing in" for a member who is absent, they should refrain from commenting. Thanks in advance for being mindful of this. If there are any questions, please feel free to ask. Kind regards, Emily On 18/05/2021, 16:21, "GNSO-TPR on behalf of Lutz Donnerhacke" <gnso-tpr-bounces@icann.org on behalf of lutz@donnerhacke.de> wrote: On Tue, May 18, 2021 at 09:38:02AM -0400, Steve Crocker wrote: > I'd be very interested in how you transfer a DNSSEC signed zone without > incurring any disruption of either resolution or validation. Perhaps best > if we take this offline. If we are out of scope, please let me (as an alternate) add some notes. Current minimal policy requirement is, that the gaining registrar is able to delete the DNSSEC information from the registry. So this procedure is possible: 1) Transfer the registry permissions to the gaining registrar. 2) Delete the DNSSEC (DS) data at the registry. 3) Wait (policy must exist, the the old NS must not be disconnected) 4) Set new name server glue at the registry. 5) Losing name server operator ends the service. This way the losing registrar is not required to do anyhing. If the gaining registrar is able to operate with DNSSEC, a different method can be used: 1) Transfer the registry permissions to the gaining registrar. 2) Add new DNSSEC (DS) data without delete the existing one at the registry. 3) Wait (policy must exist, the the old NS must not be disconnected) 4) Set new name server glue at the registry. 5) Losing name server operator ends the service. 6) Remove old DNSSEC (DS) data without delete the new one at the registry. This way the losing registrar is not required to do anyhing. If there is no policy to upheld the name server operations after the transfer, some early activities are necessary: 1) The losing registrar receives new DNSSEC (DS) data from the gaining name server operator via the registrant. 2) The losing registrar adds the new DNSSEC (DS) data in addition to the old one at the registry. 3) Wait 4) Transfer the registry permissions to the gaining registrar. 6) Gaining registrar sets new name server glue and removes old DS records at the registry. 7) Losing name server operator ends the service. Here we only need a policy, that the losing registrar is required to add an additional DNSSEC record when handing out an authinfo code. If we do not have any of those policies, the service will be disrupted during the transfer. _______________________________________________ GNSO-TPR mailing list GNSO-TPR@icann.org https://mm.icann.org/mailman/listinfo/gnso-tpr