On Oct 1, 2013, at 9:04 PM, Sten Carlsen <st...@s-carlsen.dk> wrote:
> > On 02/10/13 02.47, Alan Clegg wrote: >> On Oct 1, 2013, at 8:27 PM, David Newman <dnew...@networktest.com> >> wrote: >> >> >>> On 10/1/13 2:16 PM, David Newman wrote: >>> >>>> Is there a recommended order of operations when moving DNSSEC-enabled >>>> nameservers to a hidden-master setup? >>>> >>> Actually, this is really a more general question: Is there a recommended >>> order of operations when migrating zones between any two DNSSEC-enabled >>> nameservers, assuming the same version of bind on each? >>> >> Eh... I'm not sure what the complexity here is. >> >> Set the "new" machine up as a slave, use the standard axfr mechanism to >> replicate the zones, move the keying material and then convert the new >> system form slave to master while taking the existing master off-line. >> >> What am I missing? > I believe that was the question, what is missing here - if anything. Seems > too easy, there has to be a catch. > Anything to do to catch up on internal states, How to be sure the new master > will continue exactly as the old one had done. Maybe it is that simple, that > would be great, but if you are not sure, it is a good question to ask. Fair enough. David: I've done this quite a few times and haven't had issues. I guess there _could_ be an issue if you are not careful, take too long getting the new master online and allow RRSIGs to expire. If you've been careful previously and don't take over 10 days to get the new master online (assuming default signature lifetime), all should be fine. The original post mentioned moving .jnl files, etc. which I would not recommend. Don't try to "replicate" the initial master by moving all of the files; allow the protocol to do the work replicating the zone data and you should be able to just copy the keying material across. Of course, you will need to make sure that you have the new master configured to do the signing in the same way as you did on the "being-retired" master server. (and as a side note, never use zero TTLs) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
