Reaching out to the parent zone

Written by Rick van Rein in category: Architecture, Procedures, Resilience, Technical

Upload KSK information to the parent zone, following a procedure that is mindful of old results in caches. The code of the engine is included.

1 Comments

DNSSEC signer migration

Written by Roland van Rijswijk in category: Architecture, Procedures, SNInnovatieblog, Technical

Over the past week we have published a detailed HOWTO on the signer migration process we have gone through last month on our DNSSEC blog. The full process, including a worksheet (also available separately) to help you during the process, is described in the document that you can download by clicking on the image on […]

1 Comments

Step 9: resume automated key management

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to remove the DNSKEY record for the active ZSK from the source signer from the input zone and to resume automated key management. Once this step has taken place, the migration is complete. The situation at the end of this step is shown in the diagram below: To reach […]

No Comments

Step 8: switch over to the destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to completely switch over to the destination signer. At the end of this step, continuous zone signing has been restarted and will only take place on the destination signer; zone publication will have been resumed and will use the output from the destination signer. The situation at the end […]

No Comments

Step 7: switch the DS record

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to switch the DS for the zone to point to the KSK of the destination signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Contact the parent zone (registry) to submit the […]

No Comments

Step 6: create a fully cross-signed zone

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to create a fully cross-signed zone that includes the key set from the source as well as the destination signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Edit the output (i.e. […]

No Comments

Step 5: introduce destination keys on source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the destination signer on the source signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Stop the signer software on the source […]

No Comments

Step 4: introduce source keys on destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the source signer on the destination signer and to get an RRSIG signature for the new DNSKEY set this will result in using the active keys on the destination signer. The end situation of this step is shown in […]

No Comments

Step 3: configuring the destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to configure the destination signer and to transition it to the situation as shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Configure the zone to be migrated on the new signer Launch automated key management on the new signer but do […]

No Comments

Step 2: cleaning up the source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to clean up the source signer and to transition it to the situation shown in the image below: To reach this state, the following sub-steps need to be taken: Stop automated uploads of the input zone to the destination signer Stop active key management (when using OpenDNSSEC this means […]

No Comments