Step 5: introduce destination keys on source signer

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to introduce the DNSKEY records for the active keys from the destination signer on the source signer. The situation at the end of this step is shown in the diagram below:

To reach this situation, the following sub-steps need to be taken:

  1. Stop the signer software on the source signer and ensure that zone publication is temporarily halted (i.e. no new versions of the zone are pushed from the signer to the authoritative name servers)
  2. Alter the input zone on the source signer to include the DNSKEY record for the active KSK from the destination signer
  3. Alter the input zone on the source signer to include the DNSKEY record for the active ZSK from the destination signer
  4. Set the SOA serial number in the input zone such that it is higher than the SOA serial number of the zone that was published in step 2
  5. Allow the signer software to run once on the source signer and ensure that the output zone includes a valid signature over the entire DNSKEY set, which should include the active KSK and ZSK from both the source and the destination signer
  6. Do NOT resume zone publication (i.e. do not push new zones from the signer to the authoritative name servers)

Comments are closed