moving DNSSEC to a hidden master

Alan Clegg alan at
Wed Oct 2 00:47:37 UTC 2013

On Oct 1, 2013, at 8:27 PM, David Newman <dnewman at> wrote:

> On 10/1/13 2:16 PM, David Newman wrote:
>> Is there a recommended order of operations when moving DNSSEC-enabled
>> nameservers to a hidden-master setup?
> Actually, this is really a more general question: Is there a recommended
> order of operations when migrating zones between any two DNSSEC-enabled
> nameservers, assuming the same version of bind on each?

Eh... I'm not sure what the complexity here is.

Set the "new" machine up as a slave, use the standard axfr mechanism to replicate the zones, move the keying material and then convert the new system form slave to master while taking the existing master off-line.

What am I missing?

Alan Clegg | +1-919-355-8851 | alan at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the bind-users mailing list