9

Do I need to disable the DNSSEC DS record and DNSSEC, let that propagate, and then change nameservers only after that has well propagated?

Patrick Mevzek
  • 8,590
  • 1
  • 22
  • 42
dyasta
  • 251
  • 2
  • 8

3 Answers3

6

I found that there is a DNSSEC propagation delay, so the approach is:

  1. Disable DNSSEC at Registrar
  2. Wait 24 hours
  3. Disable DNSSEC at Nameserver
  4. Switch nameservers

This was the answer I was looking for, and eventually found through other resources.

dyasta
  • 251
  • 2
  • 8
5

If you use DNSSEC, then when you switch from one DNS provider to another you must take precautions to ensure your DNS resolution continues during the transition.

Your DS record is tied to the specific DNSSEC key that is used to sign your zone. If you move from a DNSSEC provider to a provider that does not support DNSSEC, then you must remove your DS record before switching.

The same rule applies if you switch from one DNS provider with DNSSEC to another DNS provider with DNSSEC. You should remove your DS record first, transition to the new DNS provider, and then have them provide you with the new DS record that you can add to your domain’s registry name servers.

source

Steve
  • 8,575
  • 25
  • 30
3

If you are switching to Google Cloud DNS or another NS that supports DNSSEC transfer state, you can set your incoming NS's DNSSEC to transfer state which allows you to switch without downtime while remaining secure. Essentially the procedure is to use the same signing as the previous NS then add DS on the registrar. If DNSSEC is enabled on the NS but not the registrar, resolution will still happen nominally. That is key to preventing downtime.

To Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-to

From Cloud DNS https://cloud.google.com/dns/dnssec-config#migrating-from

From the docs:

check that Google Cloud DNS supports the same KSK algorithm already in use. If not, deactivate DNSSEC at your domain registrar before migrating the zone and updating the name server records at the registrar to use the Cloud DNS name servers.

If the existing KSK and ZSK algorithms are supported in Google Cloud DNS, you can perform the migration with DNSSEC enabled, following these steps:

Create a new DNSSEC-signed zone in DNSSEC 'Transfer' state. Transfer state allows you to manually copy DNSKEYs into the zone.

From the transfer pop up:

Entering transfer state DNSSEC will remain enabled for this zone, but only in transfer state. Transfer state allows you to migrate DNS zones between Google Cloud DNS and another DNS provider while keeping DNSSEC enabled.

It is safe to enter transfer state. Google Cloud DNS will still serve your zone and regenerate DNSSEC signatures as needed. However, you should not leave your zone in transfer state indefinitely. The DNSSEC zone signing keys (ZSKs) are not rotated while in transfer state, which reduces the security of your zone over time.

youfu
  • 103
  • 3
Ray Foss
  • 131
  • 3