Network Working Group C. Zhang Internet-Draft CNNIC Intended Status: Informational Expires: 11 Nov 2026 11 May 2026 Top Level Domain Transition Operational Practices draft-zhang-dnsop-tld-transition-00 Abstract This document describes the process for Top-Level Domain(TLD) registries to switch their Back-End Registry Operator(BERO), including migration requirements, data changes, and operational procedures. This document applies to scenarios where the name service of certain TLD is migrated between different BERO, and the TLD has implemented DNSSEC. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 Nov 2026. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. 1. Introduction During the migration of TLD name service, especially when DNSSEC is implemented, the availability of name service and the verifiability of zone data are mandatory. Relevant operations involve the registry of certain TLD, the original BERO, the new BERO, and IANA. To achieve the above objectives, the sequence of operations shall comply with specified requirements. This document sets forth the relevant requirements and operational procedures. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Roles in Transition The registry is responsible for the management and maintenance of TLD information. During the service migration, its specific operation is to submit applications to IANA for adding or removing DS records and NS records. The registry does not directly manipulate data in the domain name system. The original BERO is responsible for maintaining the TLD's zone data. During the service migration process, its specific operations include: adding DNSKEY records and NS records to the TLD's zone data, signing the zone data, and configuring the synchronization relationship with the new BERO. After the service migration is completed, the original BERO will exit the service system of this TLD. The new BERO is responsible for maintaining the TLD's zone data. During the service migration process, its specific operations include: adding DNSKEY records and NS records to or removing them from the TLD's zone data, signing the zone data, and configuring the synchronization relationship with the original BERO. IANA is responsible for maintaining root zone data. During the service migration, its specific operations include adding DS records and NS records to or removing them from the root zone data. 3. Requirements and Prerequisents During the name service migration, the availability of the service, the correctness and verifiability of the data must be guaranteed at all times. To assure data consistence during the service migration, the data of registered domain names shall remain unchanged. The mainly modified data include the NS records of the TLD, as well as DNSSEC-related records such as DNSKEY, DS, RRSIG, and NSEC3. 4. Procedures of Transition The specific operational procedures for the name service migration are as follows: The "TTL" below refers to the larger TTL value of the same resource record set in the root zone or TLD zone. The "DNSKEY records" refers to KSK records and ZSK records. 1.The original BERO and the new BERO shall establish a zone data synchronization relationship, and zone data will be synchronized from the original BERO to the new BERO. 2.The original BERO adds new records to zone data, where new records refer to the NS records and DNSKEY records of the new BERO, and re-signs the zone data. 3.The registry submits an application to IANA for adding the NS records and DS records of the new BERO. 4.IANA adds the NS records and DS records of the new BERO to the root zone. IANA will first conduct a technical check. Only after passing the check will IANA add the NS records and DS records in the root zone. The content of the technical check can be referred to [NS-REQ]. 5.Wait for the TTL interval. After the cached DS and NS records in recursive servers expire, subsequent queries will resolve to both the original and new BERO with their respective DS and NS records. 6.The new BERO removes the NS records of the original BERO, re-signs the zone data, and updates the synchronization relationship to synchronize zone data from the new BERO to the original BERO. 7.The registry submits an application to IANA for removing the NS records of the original BERO. 8.IANA removes the NS records of the original BERO from the root zone. A technical check will also be performed here. 9.Wait for the TTL interval. After the NS record caches in recursive servers expire, subsequent queries will only receive the NS records of the new BERO. 10.The new BERO removes the DNSKEY records of the original BERO and signs the zone data. 11.The registry submits an application to IANA for removing the DS records of the original BERO. 12.IANA removes the DS records of the original BERO from the root zone. A technical check will also be performed here. 13.The new BERO terminates the data synchronization relationship with the original BERO and the migration finish. 9. References 9.1. Normative References [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices, Version 2", RFC 6781, DOI 10.17487/RFC6781, December 2012, . [NS-REQ] IANA, "Technical requirements for authoritative name servers", Nov 2024, . Authors' Addresses Cuiling Zhang CNNIC No.9 Beijing Auto Museum West Road, Fengtai District Beijing, 100070 China Email: zhangcuiling@cnnic.cn