
Network Working Group                                          C. Zhang
Internet-Draft                                                    CNNIC
Intended Status: Informational                                  
Expires: 11 Nov 2026                                        11 May 2026        


             Top Level Domain Transition Operational Practices
                   draft-zhang-dnsop-tld-transition-00

Abstract

   This document describes the process for Top-Level Domain(TLD)
   registries to switch their Back-End Registry Operator(BERO),
   including migration requirements, data changes, and operational
   procedures.

   This document applies to scenarios where the name service of 
   certain TLD is migrated between different BERO, and the TLD has
   implemented DNSSEC.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF). Note that other groups may also distribute 
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months 
   and may be updated, replaced, or obsoleted by other documents at any 
   time. It is inappropriate to use Internet-Drafts as reference material 
   or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 Nov 2026.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the 
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   (https://trustee.ietf.org/license-info) in effect on the date of 
   publication of this document. Please review these documents 
   carefully, as they describe your rights and restrictions with respect 
   to this document. Code Components extracted from this document must 
   include Revised BSD License text as described in Section 4.e of 
   the Trust Legal Provisions and are provided without warranty as 
   described in the Revised BSD License.

1.  Introduction

   During the migration of TLD name service, especially when DNSSEC is
   implemented, the availability of name service and the verifiability
   of zone data are mandatory. Relevant operations involve the registry
   of certain TLD, the original BERO, the new BERO, and IANA.

   To achieve the above objectives, the sequence of operations shall
   comply with specified requirements. This document sets forth the
   relevant requirements and operational procedures.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
   document are to be interpreted as described in [RFC2119].

2.  Roles in Transition

   The registry is responsible for the management and maintenance of TLD
   information. During the service migration, its specific operation is
   to submit applications to IANA for adding or removing DS records and
   NS records.
   The registry does not directly manipulate data in the domain name system.

   The original BERO is responsible for maintaining the TLD's zone data.
   During the service migration process, its specific operations include:
   adding DNSKEY records and NS records to the TLD's zone data, signing
   the zone data, and configuring the synchronization relationship with
   the new BERO.
   After the service migration is completed, the original BERO will exit
   the service system of this TLD.

   The new BERO is responsible for maintaining the TLD's zone data. During
   the service migration process, its specific operations include: adding
   DNSKEY records and NS records to or removing them from the TLD's zone data,
   signing the zone data, and configuring the synchronization relationship
   with the original BERO.

   IANA is responsible for maintaining root zone data. During the service
   migration, its specific operations include adding DS records and NS records
   to or removing them from the root zone data.

3.  Requirements and Prerequisents

   During the name service migration, the availability of the service, the
   correctness and verifiability of the data must be guaranteed at all times.

   To assure data consistence during the service migration, the data of
   registered domain names shall remain unchanged.

   The mainly modified data include the NS records of the TLD, as well as
   DNSSEC-related records such as DNSKEY, DS, RRSIG, and NSEC3.

4.  Procedures of Transition

   The specific operational procedures for the name service migration are
   as follows:

   The "TTL" below refers to the larger TTL value of the same
   resource record set in the root zone or TLD zone.

   The "DNSKEY records" refers to KSK records and ZSK records.

   1.The original BERO and the new BERO shall establish a zone data
     synchronization relationship, and zone data will be synchronized from
     the original BERO to the new BERO.

   2.The original BERO adds new records to zone data, where new records
     refer to the NS records and DNSKEY records of the new BERO, and re-signs
     the zone data.

   3.The registry submits an application to IANA for adding the NS records
     and DS records of the new BERO.

   4.IANA adds the NS records and DS records of the new BERO to the root zone.
     IANA will first conduct a technical check. Only after passing the check
     will IANA add the NS records and DS records in the root zone. The content
     of the technical check can be referred to [NS-REQ].

   5.Wait for the TTL interval. After the cached DS and NS records in recursive
     servers expire, subsequent queries will resolve to both the original and
     new BERO with their respective DS and NS records.

   6.The new BERO removes the NS records of the original BERO, re-signs the zone
     data, and updates the synchronization relationship to synchronize zone data
     from the new BERO to the original BERO.

   7.The registry submits an application to IANA for removing the NS records of
     the original BERO.

   8.IANA removes the NS records of the original BERO from the root zone. A technical
     check will also be performed here.

   9.Wait for the TTL interval. After the NS record caches in recursive servers
     expire, subsequent queries will only receive the NS records of the new BERO.

   10.The new BERO removes the DNSKEY records of the original BERO and signs the
      zone data.

   11.The registry submits an application to IANA for removing the DS records of the 
      original BERO.

   12.IANA removes the DS records of the original BERO from the root zone. A technical
      check will also be performed here.

   13.The new BERO terminates the data synchronization relationship with the original
      BERO and the migration finish.

9.  References

9.1.  Normative References
   [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices,
             Version 2", RFC 6781, DOI 10.17487/RFC6781, December 2012,
             <https://www.rfc-editor.org/info/rfc6781>.

   [NS-REQ]  IANA, "Technical requirements for authoritative name servers", 
             Nov 2024, <https://www.iana.org/help/nameserver-requirements>.

Authors' Addresses

   Cuiling Zhang
   CNNIC
   No.9 Beijing Auto Museum West Road, Fengtai District
   Beijing, 100070
   China

   Email: zhangcuiling@cnnic.cn