Re: DNSSEC migration sanity check

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: DNSSEC migration sanity check

Bind-Users forum mailing list

Howdy bind-users list.


TLDR: we were able to move zones between DNS servers with different KSK/ZSK while keeping the zones secure.



First I want to say a BIG thank you for the replies received since it helped in documenting our workflow for these migrations.


Off list, Paul E. mentioned that a test domain might be handy and that obvious suggestion made a big difference.  No pressure if we mess it up.  Thanks Paul.


Additionally, Paul also included a link to a draft of multi-signer DNSSEC:


Of note is the section titled:  2.1.2.  Model 2: Unique KSK set and ZSK set per provider


Therein it mentions how “Each provider has their own KSK and ZSK sets” and that is exactly the situation we found ourselves.  Our testing showed that we could “double-sign” our test zone (is that the correct phrase in this context?) and it remained secured as indicated by the “ad” flag:


# dig +dnssec +multi                    


; <<>> DiG 9.14.2 <<>> +dnssec +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44429

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1


Although indicated that the zone was secure it produced many, many complaints about errors it was finding.  Which, honestly, is to be expected.  For example:


“The DS RRset for the zone included algorithm 10 (RSASHA512), but no DS RR matched a DNSKEY with algorithm 10 that signs the zone's DNSKEY RRset”


At first glance the task looked overwhelming but it could not have been easier.



Please visit to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at for more information.

bind-users mailing list
[hidden email]