DNSSEC migration sanity check
Crist Clark
cjc+bind-users at pumpky.net
Thu Aug 20 04:49:28 UTC 2020
Not sure I understand why you need to do anything except change the
authoritative NS records in the zone and in the delegation at the
registrar. You also only really need to decrease the TTL on the NS
records, not all of the records in the zone. Why touch any keys and
the corresponding DS records?
Are we missing some complication in your deployment?
On Wed, Aug 19, 2020 at 11:44 AM John W. Blue via bind-users
<bind-users at lists.isc.org> wrote:
>
> We are in the process of moving from one IPAM vendor to another.
>
>
>
> All of our zones are DNSSEC signed and the TTL’s have been lowered to 300 seconds.
>
>
>
> At a high level, the playbook is to update the registrar with names/IP addresses of the new servers and update the DSKEY. Depending on the time of the day that the cutover actually happens at we know the process to request of the registrar an out of band data push so the new servers will be seen by the open Internet.
>
>
>
> A suggestion have been put forth that we should unsign our zones prior to migration but I am skeptical of the benefits of doing so.
>
>
>
> Are we missing something obvious?
>
>
>
> John
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list