DNSSEC signer migration

Written by Roland van Rijswijk in category: Architecture, Procedures, SNInnovatieblog, Technical

Over the past week we have published a detailed HOWTO on the signer migration process we have gone through last month on our DNSSEC blog. The full process, including a worksheet (also available separately) to help you during the process, is described in the document that you can download by clicking on the image on this page.

We greatly appreciate any feedback you may have!

1 Comment to “DNSSEC signer migration”

  1. Hugo Salgado says:

    Great doc! Thanks for sharing.
    I’d like to comment two details. It seems worth noting that both source and destinations KSK and ZSK should be of the same algorithm. If there’s a change of algorithm you could end in the step 6 with a broken chain from the DS to the dst RRSIGs. Its required to have complete paths to *all* algorithms.
    Also is good to take into account the DS TTL in the parent zone, and the publication delay in the process of changing. That’s because in step 7 you need to have valids RRSIG with the KSKdst for the entire step!