Update and redirect blog postHEAD master

author: uvok cheetah 2025-01-15 20:09:58 +0100
committer: uvok cheetah 2025-01-15 20:09:58 +0100
commit: 9583c62ba9f6c0fb62715373169b4863831d23e3 (patch)
tree: 4c9c9cbcf9318e0a8fd1969a4a316c3dca0060c2 /_posts
parent: eb33cba9247299a368384e8063fd49f41e70e169 (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/_posts/2025-01-12-2025-01-12-migrating-dns-servers.md b/_posts/2025-01-12-migrating-dns-servers.md
index d81c8fe..2d671d3 100644
--- a/_posts/2025-01-12-2025-01-12-migrating-dns-servers.md
+++ b/_posts/2025-01-12-migrating-dns-servers.md
@@ -4,8 +4,13 @@ title: Migrating DNS providers
 lang: en
 categories: tech
 date: 2025-01-12 16:49 +0100
+last_modified_at: 2025-01-15 19:57 +0100
+redirect_from: /2025/01/2025-01-12-migrating-dns-servers.html
 ---
 
+**Update 2025-01-15:** Add links to tools, add clarification for DNSSEC tool,
+add clarification for validation errors/warnings.
+
 ## Preface
 
 [As I posted on Mastodon](https://furry.engineer/@uvok/113780013806190576), 
@@ -173,6 +178,10 @@ for other TLDs and other registrars.
     NSEC3-RRSIG|don't import NSEC3-RRSIG)`. All variants failed. I have no clue
     how this is supposed to work cleanly. [^7]
 
+    **Update 2025-01-15**: The GitHub issue linked below (#9263) actually
+    contains a "solution"/workaround for this. The order of commands needs to be
+    1) Import, 2) set-nsec3, 3) rectify, 4) set-presigned.
+
 1. Wait at least 24 hours (TTLs, DNS propagation time).
 1. Let PowerDNS output its own keys it generated for the zone. Unfortunately,
    `pdnsutil export-zone-dnskey $zone $keynr` *does not output a completely
@@ -207,6 +216,17 @@ for other TLDs and other registrars.
    I *think* dnsviz expects both `RRSIG`s, i.e. both keys must sign the replies?
    That shouldn't have an effect on the reachability, otherwise the tool would
    report BOGUS records?
+
+   **Update 2025-01-15**: Yep. As stated in the IETF document linked in the
+   references:
+
+   > Current reading is that an algorithm rollover requires a full validation
+   > with all algorithms involved, whereas a key rollover will work whenever
+   > data can be validated using either key ([RFC4035], section 2.2).
+
+   N.B.: So if you *really* want to avoid that, you need to tell PowerDNS to
+   create an KSK/ZSK pair (with the same parameters?) and use these, and only
+   later switch over to algorithm 13.
 1. Wait at least 24 hours (TTLs, DNS propagation time). - Depending on the
    previous DS records TTL.
 1. Switch to automatic signing by PowerDNS. I guess at this point you must or should
@@ -232,6 +252,8 @@ of a headache for me, also, domain names are not secrets.
 * [PowerDNS docs](https://doc.powerdns.com/authoritative/)
 * IETF Draft: [Changing DNS Operators for DNSSEC signed
   Zones](https://datatracker.ietf.org/doc/html/draft-koch-dnsop-dnssec-operator-change-06)
+* [DNSSEC visualizer](https://dnsviz.net/)
+* [Verisign Labs DNSSEC debugger](https://dnssec-debugger.verisignlabs.com/)
 
 ## Footnotes
author	uvok cheetah	2025-01-15 20:09:58 +0100
committer	uvok cheetah	2025-01-15 20:09:58 +0100
commit	9583c62ba9f6c0fb62715373169b4863831d23e3 (patch)
tree	4c9c9cbcf9318e0a8fd1969a4a316c3dca0060c2 /_posts
parent	eb33cba9247299a368384e8063fd49f41e70e169 (diff)