What is the recommend procedure for changing nameservers with DNSSEC enabled?

dns nameserver dnssec
5,410

Solution 1

I found that there is a DNSSEC propagation delay, so the approach is:

  1. Disable DNSSEC at Registrar
  2. Wait 24 hours
  3. Disable DNSSEC at Nameserver
  4. Switch nameservers

This was the answer I was looking for, and eventually found through other resources.

Solution 2

If you are switching to Google Cloud DNS or another NS that supports DNSSEC transfer state, you can set your incoming NS's DNSSEC to transfer state which allows you to switch without downtime while remaining secure. Essentially the procedure is to use the same signing as the previous NS then add DS on the registrar. If DNSSEC is enabled on the NS but not the registrar, resolution will still happen nominally. That is key to preventing downtime.

To Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-to

From Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-from

From the docs:

check that Google Cloud DNS supports the same KSK algorithm already in use. If not, deactivate DNSSEC at your domain registrar before migrating the zone and updating the name server records at the registrar to use the Cloud DNS name servers.

If the existing KSK and ZSK algorithms are supported in Google Cloud DNS, you can perform the migration with DNSSEC enabled, following these steps:

Create a new DNSSEC-signed zone in DNSSEC 'Transfer' state. Transfer state allows you to manually copy DNSKEYs into the zone.

From the transfer pop up:

Entering transfer state DNSSEC will remain enabled for this zone, but only in transfer state. Transfer state allows you to migrate DNS zones between Google Cloud DNS and another DNS provider while keeping DNSSEC enabled.

It is safe to enter transfer state. Google Cloud DNS will still serve your zone and regenerate DNSSEC signatures as needed. However, you should not leave your zone in transfer state indefinitely. The DNSSEC zone signing keys (ZSKs) are not rotated while in transfer state, which reduces the security of your zone over time.

Share:
5,410

Related videos on Youtube

Mohit Dhingra
Author by

Mohit Dhingra

Updated on September 18, 2022

Comments

  • Mohit Dhingra
    Mohit Dhingra almost 2 years

    Do I need to disable the DNSSEC DS record and DNSSEC, let that propagate, and then change nameservers only after that has well propagated?

  • Sandeep Bhaskar
    Sandeep Bhaskar about 5 years
    Please define "DNSSEC propagation delay". Even if used by everyone there is not really a "propagation" in DNS world as updates do not flow top down.
  • buckaroo1177125
    buckaroo1177125 about 3 years
    Disabling the DNSSEC at your DNS provider is dangerous and possible cause for outage. If the records are signed then DS present or no DS, it will still resolve. But with DS and no signed records and you'll risk an outage.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to Configure Name Servers using Webmin in Unmanaged VPS on Centos
How to access addon domain on cPanel hosting via URL when the root hosting domain is hosted on another host
What's the difference between my nameserver and CNAME settings?
How long does propagation of newly registered private name servers typically take?
How does DNS detect changes in nameserver IP address?
Which is better between changing Nameservers and changing DNS "A" Records?
Nameserver problem
Vigor router not passing netbios request
Local DNS issue with TP Link router
Why common two IP addresses for two nameservers in one server