Recommendations for replacing a master server without breaking DNSSEC

Ralph Seichter ralph at
Tue Nov 23 23:44:30 UTC 2021

Hello list members.

Imagine a BIND9 master-and-slave pair (let's call them Alpha and Omega,
respectively) with automatic synchronisation in place. Imagine further
that Alpha needs to be replaced by a brand new server Beta hosted in a
different data center, which implies new hardware and IP-adresses.

How would you go about moving all functionality from Alpha to Beta,
ideally with minimal downtime, and with the hard requirement of not
breaking DNSSEC? How would one need to handle key material, zone
signatures, journals, etc.?

I conducted tests with a non-production domain, but I seem to be doing
something wrong re DNSSEC. I'd appreciate you sharing any experiences
and recommendations you may have in this matter. Thanks!


More information about the bind-users mailing list