Transferring a DNSSEC-signed domain is more complex than transferring a regular domain. DNSSEC is essential for maintaining the authenticity and integrity of DNS data. This post explains the steps involved in the transfer process and introduces DNSViz, a valuable tool commonly used by TechOps teams for DNSSEC debugging.
Steps for Transferring DNSSEC-Signed Domains
1. Prepare the New Registrar
Ensure that the new registrar supports DNSSEC and is capable of handling the transfer of DNSSEC-signed domains. This is crucial for a smooth transition.
2. Disable DNSSEC at the Current Registrar
Before initiating the transfer, disable DNSSEC at the current registrar by removing the DS (Delegation Signer) record from the parent zone. This ensures that the transfer process doesn't encounter authentication issues.
3. Initiate the Domain Transfer
Follow the standard domain transfer process provided by the new registrar. This typically involves providing an authorization code, unlocking the domain, and initiating the transfer request.
4. Update DNSSEC at the New Registrar
After the domain transfer is completed, re-enable DNSSEC at the new registrar. This involves adding the DS record to the parent zone.
It's important to note that DNSSEC transfers can be more complex and may require additional coordination with both the current and new registrars. Consult the documentation or support provided by your specific registrar for detailed instructions on transferring DNSSEC-signed domains.
The method outlined above is the simplest way of transferring signed domains. The domain will be insecure for the length of time taken for the domain to transfer. But it is VASTLY simpler and easier to achieve than a coordinated transfer where the domain stays signed throughout the transfer and should be suitable for most sites. In the case of a DNSSEC transfer a failure can result in the domain VANISHING from the internet for a period of time. For the brave or foolhardy the process is as follows:
Copy both the Key Signing Key and Zone Signing Key DNSKEY records from the new provider and arrange to have them added to the zone at the old provider.
Have the old provider add the Key Signing Key DS record to the zone. Allow time for this change to propagate to all the rest of the internet. (We suggest 24 hours to be safe).
Then initiate the transfer. Once it has completed successfully remove the old DS record from the zone.
Additional Resources for DNSSEC Transfers
Here are some links that provide further information on transferring DNSSEC-signed domains:
1. ICANN DNSSEC FAQ: ICANN provides an informative FAQ on DNSSEC, explaining its importance and implications.
2. DNSSEC.net: A comprehensive resource for understanding DNSSEC, including guides and documentation.
3. Cloudflare DNSSEC Transfer Guide: Cloudflare's guide specifically focuses on DNSSEC transfers and provides insights into their registrar platform.
DNSViz: A Debugging Tool for DNSSEC
Our TechOps team relies on a powerful tool called [DNSViz](https://dnsviz.net/) to debug DNSSEC-related issues. DNSViz is a web-based tool that offers visualization and analysis of DNS data. Here are some useful links related to DNSViz:
1. Official Website: Access the tool and perform DNS analysis directly on the official website.
2. GitHub Repository: Explore the source code and documentation related to the project. Contribute, report issues, or delve into the codebase.
3. User Guide: The user guide provides detailed instructions on using DNSViz effectively, covering various features and functionalities.
4. API Documentation: If you're interested in programmatically accessing DNSViz, the API documentation explains how to interact with the tool using RESTful API endpoints.
DNSViz is a valuable asset for TechOps teams, offering insights into DNS configurations, DNSSEC signatures, delegation chains, and various DNS records. While it doesn't involve code-related questions, it's an indispensable resource for DNS analysis and visualization purposes.