Hello, Roland and I have spent quite a few brain cycles on a plan to migrate from one DNSSEC solution to another -- doing it the cool way, that is, without dropping security. We have run through it on a test domain and the actually used ones and found it worked rather well for us. We have published the results in a manual that we expect to be of general use:
https://dnssec.surfnet.nl/?p=771 We try crack a very general nut in this document: * moving from /some/ HSM to /some/ HSM * going from /some/ DNSSEC system to /some/ DNSSEC system * doing it all without dropping domain security The manual describes the procedure to follow in detail, so that it can be replayed without knowledge of the cryptographic structures at play. We've added lots of graphics in the hope to give a lively insight in the snapshot state in all the intermediate states. We hope you will find this useful. Any remarks are quite welcome on the blog page, of course. Cheers, Roland van Rijswijk SURFnet BV +31.302.305305 Rick van Rein OpenFortress BV +31.53.4782239
signature.asc
Description: Digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
