Step 2: cleaning up the source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to clean up the source signer and to transition it to the situation shown in the image below:

To reach this state, the following sub-steps need to be taken:

  1. Stop automated uploads of the input zone to the destination signer
  2. Stop active key management (when using OpenDNSSEC this means stopping the “enforcer” component)
  3. Alter the signer configuration such that only the active ZSK is published as part of the DNSKEY set (when using OpenDNSSEC this means manually editing the signer configuration for the zone that is being migrated)
  4. Force the signer to generate a zone that only contains fresh signatures for the active ZSK (when using OpenDNSSEC this means deleting the signed zone and all intermediate files and re-running the signer)
  5. Set the SOA serial number in the input zone such that it is higher than the currently published zone’s SOA serial number
  6. Re-start the signer and make sure that a new zone with the new DNSKEY set and fresh signatures is published
  7. Wait maxTTL(zone) after all authoritative name servers have received the new zone data for the new signatures to propagate to caches

Note: a side effect of this step is that all signatures have the maximum validity time at the start of the migration process.

Comments are closed