05-18-2017 01:33 PM
I've been tasked with migrating a DNSSEC signed zone out of an Infoblox NIOS 8.0.6 server into a cloud-based DNSSEC provider. I've been asked to do it without ever un-signing the zone, though it'll be changing from algorithm 7 to algorithm 13 as part of this.
The process the provider outlined for me is essentially:
- Configure the new DNSSEC zone in their system
- Turn down the TTL values on our existing records
- Add their ZSK record to our DNSKEY RRset
- Add their KSK to our zone's DS record
- Wait a reasonable length of time for the DNS propagation
- Change the NS records to point to the new servers.
- Remove DS record for old key & increase the TTL values back to normal.
I'm having trouble at step 2, 3, & 4. In particular, when I turn down the default TTL for the zone, it doesn't change the DNSKEY or RRSIG timers. So, four questions:
- Does this appear do-able?
- How can I change the TTL for my existing DNSKEY & RRSIG records in a zone?
- How can I add their ZSK & KSK records to my existing zone in parallel to the current records? I haven't been able to find a way to do this in the GUI or in the manual. Support told me, and I quote, "I'm not sure whether these are directly importable to NIOS or if there's a simple way to manually add them."
- Any other advice or best practices you can point me to for this scenario?
Thanks in advance,
Solved! Go to Solution.
05-18-2017 01:47 PM
I'm afraid you will not be able to add the ZSKs from a different system to the Infoblox zone. I would recommend you contact your sales team, migrating DNSSEC enabled zones is not a light duty operation.
If you are willing to suspend changes to the zone for a bit there may be a way forward by means of zones transfers out the the cloud offering, chainging delegation at the parent/regestrar. There are more steps after that which may get complicated and even then it may not be possible without unsigning depending on the cloud provider's options.
05-18-2017 01:57 PM
It's basically a static zone with only a handful of records, so getting records into the cloud provider seems to be a relatively minor issue. Not being able to add their DNSKEY sounds like a real problem, however.
05-18-2017 02:15 PM
Yeah now that I stepped back from the problem, I really don't see a way around not unsigning the zone or at the very least making it only an island (remove the DS from the parent).
Once you add new DNSKEY you would have to sign the DNSKEY RR set with the Infoblox KSK, which you really can't do since there isn't a way to get the system to accept a dnskey record that is not managed by Infoblox.
If you are going to move SOA/primary to the cloud provider, you will need to at the very least remove the DS from the parent zone. If you are fine leaving Infoblox as the primary, and not having the cloud provider manage the zone (they would be an external secondary) then there's no problem here.