What is the recommend procedure for changing nameservers with DNSSEC enabled?
Solution 1
I found that there is a DNSSEC propagation delay, so the approach is:
- Disable DNSSEC at Registrar
- Wait 24 hours
- Disable DNSSEC at Nameserver
- Switch nameservers
This was the answer I was looking for, and eventually found through other resources.
Solution 2
If you are switching to Google Cloud DNS or another NS that supports DNSSEC transfer state, you can set your incoming NS's DNSSEC to transfer state which allows you to switch without downtime while remaining secure. Essentially the procedure is to use the same signing as the previous NS then add DS on the registrar. If DNSSEC is enabled on the NS but not the registrar, resolution will still happen nominally. That is key to preventing downtime.
To Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-to
From Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-from
From the docs:
check that Google Cloud DNS supports the same KSK algorithm already in use. If not, deactivate DNSSEC at your domain registrar before migrating the zone and updating the name server records at the registrar to use the Cloud DNS name servers.
If the existing KSK and ZSK algorithms are supported in Google Cloud DNS, you can perform the migration with DNSSEC enabled, following these steps:
Create a new DNSSEC-signed zone in DNSSEC 'Transfer' state. Transfer state allows you to manually copy DNSKEYs into the zone.
From the transfer pop up:
Entering transfer state DNSSEC will remain enabled for this zone, but only in transfer state. Transfer state allows you to migrate DNS zones between Google Cloud DNS and another DNS provider while keeping DNSSEC enabled.
It is safe to enter transfer state. Google Cloud DNS will still serve your zone and regenerate DNSSEC signatures as needed. However, you should not leave your zone in transfer state indefinitely. The DNSSEC zone signing keys (ZSKs) are not rotated while in transfer state, which reduces the security of your zone over time.
Related videos on Youtube
![Mohit Dhingra](https://lh4.googleusercontent.com/-nk_oT6EkBDo/AAAAAAAAAAI/AAAAAAAAAKo/-7yYiFhN1E8/photo.jpg?sz=256)
Mohit Dhingra
Updated on September 18, 2022Comments
-
Mohit Dhingra almost 2 years
Do I need to disable the DNSSEC DS record and DNSSEC, let that propagate, and then change nameservers only after that has well propagated?
-
Sandeep Bhaskar about 5 yearsPlease define "DNSSEC propagation delay". Even if used by everyone there is not really a "propagation" in DNS world as updates do not flow top down.
-
buckaroo1177125 about 3 yearsDisabling the DNSSEC at your DNS provider is dangerous and possible cause for outage. If the records are signed then DS present or no DS, it will still resolve. But with DS and no signed records and you'll risk an outage.