[Opendnssec-develop] How to migrate a signed zone to OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Nov 23 10:39:52 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I would say this would be excactly the same as the transfer issue from
> a different DNS-operator.
> Just feed the (signed) zone to opendnssec, and roll the key using the
> same process as when the zone is transferred, i.e. pre-publish.

Isn't it a little bit more complicated than that?

1. Feed unsigned zone and DNSKEY RRset to new nameserver and start signing with new keys
2. Prepublished the new DNSKEYs in the old nameserver
3. Publish new DS
4. Publish new NS and remove old NS
5. Remove old DS
6. Remove old DNSKEYs

With appropriate timing between each step.

Am I missing any step?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSwpmeOCjgaNTdVjaAQiqBAf/ajYYWq+KLf+fBIuq5X/3fP3cvSiw//Tf
DaEpIkjLZgnKy19V3SGIiUgkwnIur5vhvGf/KlECcHzeOdMoUxYDsndAPbFcHH28
26Il4bKBJdygGOYdpGzNFmls0DTat7U+8E7cO3+ssEu2dgZEF0lD0f9owoFV4ct1
XbOW6/HyVkB2vMQA8D6xN7YRSJNrj5vOByCAR3TiO/1ZQgKxYoz3g8uQq2l8M9q7
ea19zg56snompdQR5uq1efGkqc5vX22KqbaaCytHEdbTHptl5nt+3hZredy/8n+f
0S44gtgtgzKjiBHEZSgSWqKgD7Gt1nrx9bRBQJiRZFWmuhxwNziANA==
=Zjex
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091123/b30fb7c6/attachment.htm>


More information about the Opendnssec-develop mailing list