Step 9: resume automated key management

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The purpose of this step is to remove the DNSKEY record for the active ZSK from the source signer from the input zone and to resume automated key management. Once this step has taken place, the migration is complete. The situation at the end of this step is shown in the diagram below:

To reach this situation, the following sub-steps need to be taken:

  1. Remove the active ZSK from the source signer from the input zone
  1. If required, update the SOA serial number in your backend system such that it is higher than the SOA serial number that is currently published
  2. Resume automated uploads of the input zone to the destination signer; if you still have zones that are signed and published by the source signer then you can now also resume automated upload of input zones to the source signer
  3. Resume automated key management on the destination signer (in case OpenDNSSEC is used, you can now restart the enforcer component); if you still have zones that are signed and published by the source signer you can also resume automated key management on the source signer

At the end of this step, the migration is complete.

Comments are closed