Step 4: introduce source keys on destination signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the source signer on the destination signer and to get an RRSIG signature for the new DNSKEY set this will result in using the active keys on the destination signer. The end situation of this step is shown in the diagram below:

To reach this situation, the following sub-steps need to be taken:

  1. Stop automated uploads of the input zone to the destination signer
  2. Save an unmodified copy of the input zone on the destination signer; this unmodified copy will be used at a later stage in the process
  3. Alter the input zone on the destination signer to include the DNSKEY record for the active KSK from the source signer
  4. Alter the input zone on the destination signer to include the DNSKEY record for the active ZSK from the source signer
  5. Allow the signer software to run on the destination signer and ensure that the output zone includes a valid signature over the entire DNSKEY set, which should include the active KSK and ZSK from both the source and the destination signer; stop the signer after the zone has been generated (or, alternative, run the signer once if possible)
  6. Save the RRSIG made with the active KSK on the destination signer over the DNSKEY RRset; you will need this record in the following steps

Comments are closed