[Opendnssec-user] Suggestion for migration instructions

Havard Eidnes he at uninett.no
Sun Mar 21 11:28:32 UTC 2021


Hi,

referring to

https://www.opendnssec.org/migration-from-1-4-to-2-1/

I would like to make the following suggestion.

  7. Migration during a key roll (i.e. keys in state publish)
     especially KSK, will involve assumptions in the migration,
     so if possible perform the migration outside of a key roll
     period.

Since it is likely that you will need to perform an OpenDNSSEC
conversion during a planned maintenance window, i.e. at a pre-
determined time, you probably want your KSK rotation schedule to
avoid that maintenance window.

A tip to do that is to increase your KSK <Lifetime> in your
kasp.xml file well in advance of your maintenance window.

This will in all probability avoid you having KSK keys "in
transition" when your planned maintenance window comes around.

BTW, I could not find the source for the above web page anywhere
on github, so did not try to suggest a pull request for this
additional hint, so therefore write here.

Best regards,

- Håvard


More information about the Opendnssec-user mailing list