moving DNSSEC to a hidden master

David Newman dnewman at
Tue Oct 1 21:16:11 UTC 2013

Is there a recommended order of operations when moving DNSSEC-enabled
nameservers to a hidden-master setup?

I'm hoping it's just as simple as moving all these files into place on
the hidden master:


If not, what do I need to do? In theory I suppose I could crank all TTLs
down to 0 and generate new keys on the hidden master and generate new DS
keys for the registrar, but is that necessary?

This is all on bind 9.9.4.



More information about the bind-users mailing list