Knowledge Base ISC Main Website Ask a Question/Contact ISC
How to change the nameservers for a zone?
Author: ISC Support Reference Number: AA-00331 Views: 3422 Created: 2011-05-16 19:09 Last Updated: 2017-03-08 20:54 0 Rating/ Voters


The information in this article is applicable only to non-DNSSEC-signed zones

The steps for migrating DNSSEC-signed zones between nameservers can be more complex, particularly if the the zone is transitioning between hosting providers.  The complexity is due to the need to also transition or replace the signing keys and signatures.

Step 1: Ensure all nameservers, new and old, are serving the same zone content.

Step 2: Work out the maximum TTL of the NS RRset in the parent and child zones. This is the time it will take caches to be clear of a particular version of the NS RRset. If you are just removing nameservers you can skip to Step 6.

Step 3: Add new nameservers to the NS RRset for the zone and wait until all the servers for the zone are answering with this updated NS RRset (new and old servers)

Step 4: Inform the parent zone of the new NS RRset then wait for all the parent servers to be answering with the updated NS RRset (new and old servers)

Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for how long. If you are just adding nameservers you are done.

Step 6: Remove any old nameservers from the zones NS RRset and wait for all the servers for the zone to be serving the new NS RRset.

Step 7: Inform the parent zone of the new NS RRset then wait for all the parent servers to be answering with the new NS RRset.

Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for how long.

Step 9: Turn off the old nameservers or remove the zone entry from the configuration of the old nameservers.

Step 10: Increment the serial number and wait for the change to be visible in all nameservers for the zone. This ensures that zone transfers are still working after the old servers are decommissioned.

The above procedure is designed to be transparent to the DNS clients

Decommissioning the old servers too early will result in some clients not being to look up answers in the zone.

It is not recommended to run the addition and removal stages together

While this is possible, it is not recommended




Note: the above procedure is designed to be transparent to dns clients. Decommissioning the old servers too early will result in some clients not being able to look up answers in the zone.

Note: while it is possible to run the addition and removal stages together it is not recommended.


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu