DNSSEC migration sanity check

John W. Blue john.blue at rrcic.com
Fri Sep 4 20:34:46 UTC 2020

Howdy bind-users list.

TLDR: we were able to move zones between DNS servers with different KSK/ZSK while keeping the zones secure.

First I want to say a BIG thank you for the replies received since it helped in documenting our workflow for these migrations.

Off list, Paul E. mentioned that a test domain might be handy and that obvious suggestion made a big difference.  No pressure if we mess it up.  Thanks Paul.

Additionally, Paul also included a link to a draft of multi-signer DNSSEC:


Of note is the section titled:  2.1.2.  Model 2: Unique KSK set and ZSK set per provider

Therein it mentions how "Each provider has their own KSK and ZSK sets" and that is exactly the situation we found ourselves.  Our testing showed that we could "double-sign" our test zone (is that the correct phrase in this context?) and it remained secured as indicated by the "ad" flag:

# dig fqdnhere.com +dnssec +multi

; <<>> DiG 9.14.2 <<>> fqdnhere.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44429
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

Although dnsviz.net indicated that the zone was secure it produced many, many complaints about errors it was finding.  Which, honestly, is to be expected.  For example:

"The DS RRset for the zone included algorithm 10 (RSASHA512), but no DS RR matched a DNSKEY with algorithm 10 that signs the zone's DNSKEY RRset"

At first glance the task looked overwhelming but it could not have been easier.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200904/470469b6/attachment.htm>

More information about the bind-users mailing list