Step 3: configuring the destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to configure the destination signer and to transition it to the situation as shown in the diagram below:

To reach this situation, the following sub-steps need to be taken:

  1. Configure the zone to be migrated on the new signer
  2. Launch automated key management on the new signer but do not yet launch zone signing (when using OpenDNSSEC this means launching the “enforcer” component but not yet launching the “signer” component)
  3. Once the signer configuration has been created by the automated key manager, you must stop automated key management again
  4. Edit the signer configuration such that no new ZSK is pre-published if the key manager generated and configured such a key
  5. Run the signer and allow it to generate an output zone with the trust chain as shown in the diagram above; stop the signer afterwards (or, alternatively, run the signer once if this is possible)

Comments are closed