To the DNSEXT working group:

This post follows on an observation by Olafur (made during the
IETF-64 DNSEXT wg session) that DNSSEC might be turned off and on
for a zone, perhaps with emphasis on islands of trust.

I think the question might be broken down in sub-questions
related to a) the parent zone status, and b) the effect of
turning off DNSSEC on child zones.

a) the parent zone status

Parent DNSSEC-aware

Change the status reported by the parent zone from
secure to insecure (and then reverse) ... no trust
anchor key issue.

Parent DNSSEC-oblivious (or root zone)

Zone status from secure to indeterminate (and then
reverse) ... with TAKREM as a TAK-rollover mechanism,
going back from indeterminate to secure is supported
(perhaps with the inconvenience that turning DNSSEC
back on consumes a pre-announced trust anchor key if
the key lifetime is handled in one of the three
mechanisms explained in another post on the
namedroppers list today)

b) the effect of turning off DNSSEC on child zones

Child DNSSEC-oblivious

Child zone status going from insecure to indeterminate
(and then reverse) ... no trust anchor key issue

Child DNSSEC-aware, not a trust anchor key

Child zone status going from secure to indeterminate
(and then reverse) ... no trust anchor key issue

Child DNSSEC-aware, child zone trust anchor key managed with
TAKREM (e.g. the child zone became DNSSEC-aware before its
parent and resolvers still contain the related configuration
data, or e.g. the child zone has a trust anchor key
configuration in a "private trust" arrangement)

Child zone status staying secure, from normal
delegation to trusted anchor key (and then reverse) ...
supported by TAKREM

Hope it helps ...

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1

Tel.: (514)385-5691
Fax: (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: