If the IP addresses of the DNS servers (dns[123].olddomain and
dns[123].newdomain) are staying the same - then you only need to send an
update to change your domain from being hosted at olddomain to
newdomain. Ideally, the newdomain would be created first (pointing to
the same IP addresses as in olddomain) in the Registry, then after a day
or two, have the olddomain in the Registry deleted - but it shouldn't
really matter.
People who are looking for DNSSEC records will still go to the correct
places - because the IP addresses at those places are not changing.
On 2023/02/13 17:58, Danilo Godec via bind-users wrote:
Hello,
in the near future I will have to change NS records for one of my
domains, as DNS servers currently use an old domain (not mine), that
will be phased out. DNS servers will actually remain the same, only
the domain name will change.
So, basically:
* mydomain currently uses dns1.olddomain, dns2.olddomain,
dns3.olddomain, ...
* dns*.olddomain are the same servers as dns*.newdomain
* mydomain has to change DNS server to dns1.newdomain,
dns2.newdomain, dns3.newdomain, ...
Since DNSSEC is enabled on mydomain, I've been reading some
instructions about doing this with DNSSEC and they say:
1. Disable DNSSEC at Registrar
2. Wait 24 hours
3. Disable DNSSEC at Name Server (remove DS-records)
4. Switch name servers
5. Wait 24 hours
6. Re-enable DNSSEC
I personally prefer,
Create the Domain on the new nameservers, sign it, send the new DS
record to the Registry. This probably means loading the DS record via
the old (existing) Registrar. Wait 24 hours (propagation time) then
update (swap) the Nameservers at the Registry to the new Nameservers.
Wait a day or two then remove the domain from the old servers.
As long as one of the DS records matches the DNSKEY on either the old or
new Nameservers - DNSSEC should validate.
The problem is - not many Registrars allow a foreign DS record to be
loaded in their system for uploading to the Registry. I do allow the
client to do this. Don't think it has ever happened though.
Is this really necessary in this case, changing only DNS server names?
I would like to avoid changing DS records at the registrar level as
they don't provide a 'self-service' interface for managing them, so I
have to go though their support and that's usually tedious.
If that is necessary, why?
Thanks, Danilo
PS: If it matters, this is (still) a manually DNSSEC'd domain.
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
