Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #16057
| Path | csiph.com!3.eu.feeder.erje.net!feeder.erje.net!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Crist Clark <cjc+bind-users@pumpky.net> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: DNSSEC migration sanity check |
| Date | Wed, 19 Aug 2020 21:49:28 -0700 |
| Lines | 50 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.812.1597898943.942.bind-users@lists.isc.org> (permalink) |
| References | <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> <CAAcrURK7T5xXN158+DUGnRe7dN6OgpYDYM3AJ23_AGXz+OeitQ@mail.gmail.com> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1597898992 11330 149.20.1.60 (20 Aug 2020 04:49:52 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | "bind-users@lists.isc.org" <bind-users@lists.isc.org> |
| To | "John W. Blue" <john.blue@rrcic.com> |
| Return-Path | <yheffen@gmail.com> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5mLkHQcZAQpM703wVQEFc9mglRhT7fb1DmN9C8XHZ68=; b=CFBNgWYXwZM2xVwYnUNxBbsHxKL1rUkCpW0QK1EseoEf1lWi6v9gFAMJLHu4PVsgIm pTfp2e9HWMjd2QT2bB3wGlviX8yS4jhve+Q0TQzc8aJ2Ud+PnbtvCiYWzNqbn7cPvQ4K 1Dgbgd5XaIEz+BMCwSeoavrLn3/YvJ2sNU/mE4bUV6G3bixqE8Mvzcsa4lXoa+XGpRXs ZuLVsJ4qmYY5y0CxRIgXwlYsYIUZz1kHZJitdqLyEiYz6Fspmk8ZZVSIbA2t/FcE1yUd xTso+zJUcCw7f2agpsoo5Bjo028B54wyJIpGChqZHeFb9OQa4l2atvKS5+WjYrcftirc ozJg== |
| X-Gm-Message-State | AOAM533y2LQJamSb2zeiBwaqqlSIWlYdHx/1kmWmYcSzXL/59S9WprZ9 cOemu6U3TtJ5MbSK2YYneCgM8kDpLWTRQ72D5P8W34Nx |
| X-Google-Smtp-Source | ABdhPJwnIVOMm1qXplP/F5DtWohLQNi0oSYIZYWW9OLCyoSVhg/JmqfkywPBlhQvpaUiBPl6HY/usOt5N7ZLGkr9V58= |
| X-Received | by 2002:a1c:b4c1:: with SMTP id d184mr1611433wmf.26.1597898979734; Wed, 19 Aug 2020 21:49:39 -0700 (PDT) |
| In-Reply-To | <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> |
| X-Spam-Status | No, score=0.0 required=5.0 tests=FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,KAM_SHORT, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <CAAcrURK7T5xXN158+DUGnRe7dN6OgpYDYM3AJ23_AGXz+OeitQ@mail.gmail.com> |
| X-Mailman-Original-References | <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> |
| Xref | csiph.com comp.protocols.dns.bind:16057 |
Show key headers only | View raw
Not sure I understand why you need to do anything except change the authoritative NS records in the zone and in the delegation at the registrar. You also only really need to decrease the TTL on the NS records, not all of the records in the zone. Why touch any keys and the corresponding DS records? Are we missing some complication in your deployment? On Wed, Aug 19, 2020 at 11:44 AM John W. Blue via bind-users <bind-users@lists.isc.org> wrote: > > We are in the process of moving from one IPAM vendor to another. > > > > All of our zones are DNSSEC signed and the TTL’s have been lowered to 300 seconds. > > > > At a high level, the playbook is to update the registrar with names/IP addresses of the new servers and update the DSKEY. Depending on the time of the day that the cutover actually happens at we know the process to request of the registrar an out of band data push so the new servers will be seen by the open Internet. > > > > A suggestion have been put forth that we should unsign our zones prior to migration but I am skeptical of the benefits of doing so. > > > > Are we missing something obvious? > > > > John > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: DNSSEC migration sanity check Crist Clark <cjc+bind-users@pumpky.net> - 2020-08-19 21:49 -0700
csiph-web