Adding/removing name servers under DNSSEC

Mathew Ian Eis Mathew.Eis at
Mon Mar 6 23:32:23 UTC 2017


Hoping someone in the community will have experience with this.

We are looking to migrate off a set of nameservers to another set of nameservers. For all practical considerations, both sets of servers are slave to the same hidden master, which yields interesting considerations that are not part of the “normal” practices in terms of the migration. (Being that “normal” migrations are from one provider to another and require cutting a new set of keys).

I see the steps as:

1. Add new nameservers to zone NS records. (do not remove old nameservers yet)
2. Wait at least zone NS TTL. (new servers may not be trusted during this time)
3. Update registry to add new nameservers & remove old nameservers.
4. Wait at least registry NS TTL. (old nameservers may not be trusted as cache expires, but new servers will)
6. Remove NS records for old nameservers from zone.

The reason for not making the change in one quick pass would presumably be the risk of complete mismatch between the registry NS records and the zone NS records in the event the registry data is cached but the zone data is not.

Does anyone have any experience that would suggest differently?

Thanks in advance,

Mathew Eis
Northern Arizona University

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list