Howdy bind-users list.
TLDR: we were able to move zones between DNS servers with different KSK/ZSK
while keeping the zones secure.
First I want to say a BIG thank you for the replies received since it helped in
documenting our workflow for these migrations.
Off list, Paul E. mentioned that a
Hi John,
It all depends on the key material that is used to sign your zone. It
looks like you have to update the DNSKEY RRset, so I assume the vendors
are responsible for signing and each have their own key material.
In order to let the world know you are going to use new keys you will
have to
Not sure I understand why you need to do anything except change the
authoritative NS records in the zone and in the delegation at the
registrar. You also only really need to decrease the TTL on the NS
records, not all of the records in the zone. Why touch any keys and
the corresponding DS records?
We are in the process of moving from one IPAM vendor to another.
All of our zones are DNSSEC signed and the TTL's have been lowered to 300
seconds.
At a high level, the playbook is to update the registrar with names/IP
addresses of the new servers and update the DSKEY. Depending on the time
4 matches
Mail list logo
