Adding/removing name servers under DNSSEC

Mark Andrews marka at isc.org
Tue Mar 7 00:32:35 UTC 2017 

In message <924327F5-6D1D-49F4-80C1-B1A2C539FC2B at nau.edu>, Mathew Ian Eis writes:
> Hi BIND,
>
> Hoping someone in the community will have experience with this.
>
> We are looking to migrate off a set of nameservers to another set of
> nameservers. For all practical considerations, both sets of servers are
> slave to the same hidden master, which yields interesting considerations
> that are not part of the normal practices in terms of the migration.
> (Being that normal migrations are from one provider to another and
> require cutting a new set of keys).
>
> I see the steps as:
>
> 1. Add new nameservers to zone NS records. (do not remove old nameservers
> yet)
> 2. Wait at least zone NS TTL. (new servers may not be trusted during this
> time)
> 3. Update registry to add new nameservers & remove old nameservers.
> 4. Wait at least registry NS TTL. (old nameservers may not be trusted as
> cache expires, but new servers will)
> 6. Remove NS records for old nameservers from zone.
>
> The reason for not making the change in one quick pass would presumably
> be the risk of complete mismatch between the registry NS records and the
> zone NS records in the event the registry data is cached but the zone
> data is not.
>
> Does anyone have any experience that would suggest differently?
>
> Thanks in advance,
>
> Mathew Eis
> Northern Arizona University

* You configure the new servers. All servers should be serving the
  same content during the change sans zone transfer delays.
* You update the NS records (parent and child).
* Wait for all the servers to have the new NS records (parent and child).
* Wait for cached NS records to expire (max parent/child TTL).
* Deconfigure the old servers for the zone.

This really is independent of DNSSEC.  Many people don't do this
correctly.  They don't ensure new and old servers serve the same
content during the change over or add the necessary wait periods.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list