DNSSEC migration sanity check
John W. Blue
john.blue at rrcic.com
Wed Aug 19 18:45:54 UTC 2020
We are in the process of moving from one IPAM vendor to another.
All of our zones are DNSSEC signed and the TTL's have been lowered to 300 seconds.
At a high level, the playbook is to update the registrar with names/IP addresses of the new servers and update the DSKEY. Depending on the time of the day that the cutover actually happens at we know the process to request of the registrar an out of band data push so the new servers will be seen by the open Internet.
A suggestion have been put forth that we should unsign our zones prior to migration but I am skeptical of the benefits of doing so.
Are we missing something obvious?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users