Adding/removing name servers under DNSSEC

Mathew Ian Eis Mathew.Eis at nau.edu
Tue Mar 7 01:25:30 UTC 2017 

To clarify this step *You update the NS records (parent and child)* - you add NS records for new nameservers to parent and child (at approximately the same time), but do not remove NS records for old nameservers (until after all cached records expire). Is this correct?

As to serving the same content from old and new nameservers, that will be easy in this case since all are slaves to the same (hidden) master.

Thanks again,

Mathew Eis
Northern Arizona University

-----Original Message-----
From: Mark Andrews <marka at isc.org>
Date: Monday, March 6, 2017 at 5:32 PM
To: Mathew Ian Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at isc.org>
Subject: Re: Adding/removing name servers under DNSSEC

    
    In message <924327F5-6D1D-49F4-80C1-B1A2C539FC2B at nau.edu>, Mathew Ian Eis writes:
    > Hi BIND,
    >
    > Hoping someone in the community will have experience with this.
    >
    > We are looking to migrate off a set of nameservers to another set of
    > nameservers. For all practical considerations, both sets of servers are
    > slave to the same hidden master, which yields interesting considerations
    > that are not part of the normal practices in terms of the migration.
    > (Being that normal migrations are from one provider to another and
    > require cutting a new set of keys).
    >
    > I see the steps as:
    >
    > 1. Add new nameservers to zone NS records. (do not remove old nameservers
    > yet)
    > 2. Wait at least zone NS TTL. (new servers may not be trusted during this
    > time)
    > 3. Update registry to add new nameservers & remove old nameservers.
    > 4. Wait at least registry NS TTL. (old nameservers may not be trusted as
    > cache expires, but new servers will)
    > 6. Remove NS records for old nameservers from zone.
    >
    > The reason for not making the change in one quick pass would presumably
    > be the risk of complete mismatch between the registry NS records and the
    > zone NS records in the event the registry data is cached but the zone
    > data is not.
    >
    > Does anyone have any experience that would suggest differently?
    >
    > Thanks in advance,
    >
    > Mathew Eis
    > Northern Arizona University
    
    * You configure the new servers. All servers should be serving the
      same content during the change sans zone transfer delays.
    * You update the NS records (parent and child).
    * Wait for all the servers to have the new NS records (parent and child).
    * Wait for cached NS records to expire (max parent/child TTL).
    * Deconfigure the old servers for the zone.
    
    This really is independent of DNSSEC.  Many people don't do this
    correctly.  They don't ensure new and old servers serve the same
    content during the change over or add the necessary wait periods.
    
    Mark
    -- 
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list