Step 5: introduce destination keys on source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the destination signer on the source signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Stop the signer software on the source […]

No Comments

Step 4: introduce source keys on destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the source signer on the destination signer and to get an RRSIG signature for the new DNSKEY set this will result in using the active keys on the destination signer. The end situation of this step is shown in […]

No Comments

Step 3: configuring the destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to configure the destination signer and to transition it to the situation as shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Configure the zone to be migrated on the new signer Launch automated key management on the new signer but do […]

No Comments

Step 2: cleaning up the source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to clean up the source signer and to transition it to the situation shown in the image below: To reach this state, the following sub-steps need to be taken: Stop automated uploads of the input zone to the destination signer Stop active key management (when using OpenDNSSEC this means […]

No Comments

Step 1: starting situation

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The diagram above shows the starting situation on the source signer. The starting situation shown is a typical snapshot of the state of a signer that uses the “ZSK pre-publication” rollover strategy in which a ZSK is pre-published before it is made active and in which old signatures are gradually rolled to the new key […]

No Comments

Signer migration: our goals and assumptions

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

Introduction As mentioned in the previous post, we will be publishing a series of articles on signer migration. In this article, we will address the goals we set ourselves for the signer migration as well as outline the assumptions we made. We’ll end the article with a brief explanation of the diagrams we will be […]

1 Comments

Signer migration: a step-by-step guide (introduction)

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

One of our goals with this blog has been to share what we have learned from our DNSSEC deployment with our constituency and the wider Internet community. Last month we performed a complicated operation on our DNSSEC signer deployment: we migrated from the existing signer setup to a completely independently running new signer. We had […]

No Comments

MTU woes again…

Written by Roland van Rijswijk in category: Resilience, Technical

We recently experienced some more MTU woes as a result of our main zone being DNSSEC signed that I’d like to share with you in the hope that this can help prevent this problem for others. Last week I got an e-mail from our IT department about mail issues that some of my colleagues were […]

No Comments

Thoughts on procedures and checklists

Written by Rick van Rein in category: Procedures, Technical

These are a few general thoughts about procedures and checklists, before diving into the detail level required by some of them. In general, we see procedures as predefined steps that can satisfy a checklist without further thought for an operator with normal skills. Procedures can be helpful because they take the creativity (and anxiety) out […]

No Comments

Actor responsibilities towards DNSSEC

Written by Rick van Rein in category: Procedures, Security, Technical, Users

We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]

No Comments