[Opendnssec-user] DNSSEC live migration document

Rick van Rein rick at openfortress.nl
Sun Sep 30 18:50:42 UTC 2012


Hello,

Roland and I have spent quite a few brain cycles on a plan to migrate
from one DNSSEC solution to another -- doing it the cool way, that is,
without dropping security.  We have run through it on a test domain and
the actually used ones and found it worked rather well for us.  We have
published the results in a manual that we expect to be of general use:

https://dnssec.surfnet.nl/?p=771

We try crack a very general nut in this document:
 * moving from /some/ HSM to /some/ HSM
 * going from /some/ DNSSEC system to /some/ DNSSEC system
 * doing it all without dropping domain security

The manual describes the procedure to follow in detail, so that it can
be replayed without knowledge of the cryptographic structures at play.
We've added lots of graphics in the hope to give a lively insight in
the snapshot state in all the intermediate states.

We hope you will find this useful.  Any remarks are quite welcome on
the blog page, of course.


Cheers,

Roland van Rijswijk	SURFnet BV		+31.302.305305
Rick van Rein		OpenFortress BV		+31.53.4782239
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120930/a3634541/attachment.bin>


More information about the Opendnssec-user mailing list