Changing DNS servers (name only) for a DNSSEC enabled domain

Crist Clark cjc+bind-users at pumpky.net
Mon Feb 13 23:49:44 UTC 2023 

What new DS record? The KSKs aren’t changing, are they? Why would they?

All that is changing is the NS RRset (and maybe SOA if you’re changing the
MNAME).

If the NS glue in the parent doesn’t agree with the canonical NS RRset in
the child, this is not a DNSSEC fail. This is as easy as changing any other
records in the zone.

I think all of these complications arise if you are not only changing NS
servers, but also changing registrars. I think that may be the implicit
assumption. That was not mentioned as part of this change.


On Mon, Feb 13, 2023 at 9:03 AM Mark Elkins via bind-users <
bind-users at lists.isc.org> wrote:

> If the IP addresses of the DNS servers (dns[123].olddomain and
> dns[123].newdomain) are staying the same - then you only need to send an
> update to change your domain from being hosted at olddomain to newdomain.
> Ideally, the newdomain would be created first (pointing to the same IP
> addresses as in olddomain) in the Registry, then after a day or two, have
> the olddomain in the Registry deleted - but it shouldn't really matter.
>
> People who are looking for DNSSEC records will still go to the correct
> places - because the IP addresses at those places are not changing.
> On 2023/02/13 17:58, Danilo Godec via bind-users wrote:
>
> Hello,
>
>
> in the near future I will have to change NS records for one of my domains,
> as DNS servers currently use an old domain (not mine), that will be phased
> out. DNS servers will actually remain the same, only the domain name will
> change.
>
> So, basically:
>
>
>    - mydomain currently uses dns1.olddomain, dns2.olddomain,
>    dns3.olddomain, ...
>    - dns*.olddomain are the same servers as dns*.newdomain
>    - mydomain has to change DNS server to dns1.newdomain, dns2.newdomain,
>    dns3.newdomain, ...
>
>
>
> Since DNSSEC is enabled on mydomain, I've been reading some instructions
> about doing this with DNSSEC and they say:
>
> 1. Disable DNSSEC at Registrar
> 2. Wait 24 hours
> 3. Disable DNSSEC at Name Server (remove DS-records)
> 4. Switch name servers
> 5. Wait 24 hours
> 6. Re-enable DNSSEC
>
> I personally prefer,
>
> Create the Domain on the new nameservers, sign it, send the new DS record
> to the Registry. This probably means loading the DS record via the old
> (existing) Registrar. Wait 24 hours (propagation time) then update (swap)
> the Nameservers at the Registry to the new Nameservers.
> Wait a day or two then remove the domain from the old servers.
> As long as one of the DS records matches the DNSKEY on either the old or
> new Nameservers - DNSSEC should validate.
>
> The problem is - not many Registrars allow a foreign DS record to be
> loaded in their system for uploading to the Registry. I do allow the client
> to do this. Don't think it has ever happened though.
>
>
>
>
> Is this really necessary in this case, changing only DNS server names? I
> would like to avoid changing DS records at the registrar level as they
> don't provide a 'self-service' interface for managing them, so I have to go
> though their support and that's usually tedious.
>
> If that is necessary, why?
>
>
>    Thanks, Danilo
>
> PS: If it matters, this is (still) a manually DNSSEC'd domain.
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230213/fe2243f8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230213/fe2243f8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230213/fe2243f8/attachment-0001.jpg>

More information about the bind-users mailing list