The steps for migrating DNSSEC-signed zones between nameservers can be more complex, particularly if the the zone is transitioning between hosting providers. The complexity is due to the need to also transition or replace the signing keys and signatures.
Step 1: Ensure all nameservers, new and old, are serving the same zone content.
Step 2: Work out the maximum TTL of the NS RRset in the parent and
child zones. This is the time it will take caches to be clear of a
particular version of the NS RRset. If you are just removing
nameservers you can skip to Step 6.
Step 3: Add new nameservers to the NS RRset for the zone and
wait until all the servers for the zone are answering with this updated NS
RRset (new and old servers)
Step 4: Inform the parent zone of the new NS RRset then wait for
all the parent servers to be answering with the updated NS RRset (new and old servers)
Step 5: Wait for cache to be clear of the old NS RRset. See Step
2 for how long. If you are just adding nameservers you are done.
Step 6: Remove any old nameservers from the zones NS RRset and
wait for all the servers for the zone to be serving the new NS RRset.
Step 7: Inform the parent zone of the new NS RRset then wait for
all the parent servers to be answering with the new NS RRset.
Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for how long.
Step 9: Turn off the old nameservers or remove the zone entry from the configuration of the old nameservers.
Step 10: Increment the serial number and wait for the change to
be visible in all nameservers for the zone. This ensures that zone
transfers are still working after the old servers are decommissioned.
Decommissioning the old servers too early will result in some clients not being to look up answers in the zone.
While this is possible, it is not recommended
Note: the above procedure is designed to be transparent to dns
clients. Decommissioning the old servers too early will result in
some clients not being able to look up answers in the zone.
Note: while it is possible to run the addition and removal stages together it is not recommended.
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.