Path: csiph.com!3.eu.feeder.erje.net!feeder.erje.net!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Crist Clark Newsgroups: comp.protocols.dns.bind Subject: Re: DNSSEC migration sanity check Date: Wed, 19 Aug 2020 21:49:28 -0700 Lines: 50 Approved: bind-users@lists.isc.org Message-ID: References: <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1597898992 11330 149.20.1.60 (20 Aug 2020 04:49:52 GMT) X-Complaints-To: action@cs.stanford.edu Cc: "bind-users@lists.isc.org" To: "John W. Blue" Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5mLkHQcZAQpM703wVQEFc9mglRhT7fb1DmN9C8XHZ68=; b=CFBNgWYXwZM2xVwYnUNxBbsHxKL1rUkCpW0QK1EseoEf1lWi6v9gFAMJLHu4PVsgIm pTfp2e9HWMjd2QT2bB3wGlviX8yS4jhve+Q0TQzc8aJ2Ud+PnbtvCiYWzNqbn7cPvQ4K 1Dgbgd5XaIEz+BMCwSeoavrLn3/YvJ2sNU/mE4bUV6G3bixqE8Mvzcsa4lXoa+XGpRXs ZuLVsJ4qmYY5y0CxRIgXwlYsYIUZz1kHZJitdqLyEiYz6Fspmk8ZZVSIbA2t/FcE1yUd xTso+zJUcCw7f2agpsoo5Bjo028B54wyJIpGChqZHeFb9OQa4l2atvKS5+WjYrcftirc ozJg== X-Gm-Message-State: AOAM533y2LQJamSb2zeiBwaqqlSIWlYdHx/1kmWmYcSzXL/59S9WprZ9 cOemu6U3TtJ5MbSK2YYneCgM8kDpLWTRQ72D5P8W34Nx X-Google-Smtp-Source: ABdhPJwnIVOMm1qXplP/F5DtWohLQNi0oSYIZYWW9OLCyoSVhg/JmqfkywPBlhQvpaUiBPl6HY/usOt5N7ZLGkr9V58= X-Received: by 2002:a1c:b4c1:: with SMTP id d184mr1611433wmf.26.1597898979734; Wed, 19 Aug 2020 21:49:39 -0700 (PDT) In-Reply-To: <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,KAM_SHORT, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: X-Mailman-Original-References: <44d00cc0366c4c7fa9342946d5fedd1f@mail.rrcic.com> Xref: csiph.com comp.protocols.dns.bind:16057 Not sure I understand why you need to do anything except change the authoritative NS records in the zone and in the delegation at the registrar. You also only really need to decrease the TTL on the NS records, not all of the records in the zone. Why touch any keys and the corresponding DS records? Are we missing some complication in your deployment? On Wed, Aug 19, 2020 at 11:44 AM John W. Blue via bind-users wrote: > > We are in the process of moving from one IPAM vendor to another. > > > > All of our zones are DNSSEC signed and the TTL=E2=80=99s have been lowere= d to 300 seconds. > > > > At a high level, the playbook is to update the registrar with names/IP ad= dresses of the new servers and update the DSKEY. Depending on the time of = the day that the cutover actually happens at we know the process to request= of the registrar an out of band data push so the new servers will be seen = by the open Internet. > > > > A suggestion have been put forth that we should unsign our zones prior to= migration but I am skeptical of the benefits of doing so. > > > > Are we missing something obvious? > > > > John > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc= ribe from this list > > ISC funds the development of this software with paid support subscription= s. Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users