Step 6: create a fully cross-signed zone

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to create a fully cross-signed zone that includes the key set from the source as well as the destination signer. The situation at the end of this step is shown in the diagram below:

To reach this situation, the following sub-steps need to be taken:

  1. Edit the output (i.e. the signed) zone on the source signer and include the RRSIG made with the active KSK from the destination signer over the DNSKEY set saved at the end of step 4
  2. Publish this edited zone on the authoritative name servers
  3. Do NOT restart the signer component on the source signer
  4. Wait TTL(DNSKEY) for the DNSKEY set and the associated signatures to propagate to caches

Comments are closed