Transferring a DNSSEC-Signed zone requires several steps to be done in order.
To complete your transfer and avoid any issues during the migration, follow the instructions on how to transfer your DNSSEC-Signed zone as smoothly as possible.
If you have any questions, please contact our Concierge team for additional assistance in this process.
|1. Transfer the zone to Dyn’s Managed DNS using the Transfer Zone option, or Import/Upload a copy of it.
Note: This transfer should include the DNSKEY ZSK records from the old nameservers, the RRSIG/NSEC records will be ignored.
|Click here for information on how to Transfer your Zone
Click here to Import/Upload your Zone file
| 2. Verify that the DNS ZSK Records from the old nameservers were imported.
If they were not, add the records manually.
|Click here for information on how to Add a Record to add the ZSK record to your Zone.|
|3. Publish the new zone.||Click here for information on how to Publish your Zone in Dyn’s Managed DNS.|
|4. Add DNSSEC to the zone, this will force a publish.||Click here for information on how to add DNSSEC to your zone.|
|5. Take the DNSKEY ZSK that Dyn’s Managed DNS generates and add it to the root of the zone at the old nameservers.||Click here to download a .txt file of the DNS Zone Signing Key Records.|
|6. Take the DS (Delegation Signer record) that Dyn’s Managed DNS generates and make sure the parent of the new DNSSEC zone is aware of both the DS from the old nameservers and the DS from Dyn’s Managed DNS zone. Both DS records must be located at the parent of the DNSSEC-signed zone.||Click here for information on DS record Registration.|
|7. Wait for the DS/DNSKEYS to become globally visible (This should be the highest TTL out of: (old nameserver’s NS TTL, Parent’s NS TTL for the zone, DS TTL))||
Note: While most delegation changes are refreshed on the top level domains (TLDs) within 15 minutes after the delegation change, it may take longer for individual country code TLDs to refresh their delegation cache. Check with your domain registrar if you have questions about delegation cache refresh rates.
|8. Change the zone delegation to Dyn’s Managed DNS.||Click here for information on how to change the Zone Delegation.|
|9. Wait for NS records for old nameservers to expire (max TTL on NS records for zone)||Test your domain delegation by running a dig +trace search on your domain. The returned information should show that your domain is now being delegated by Dyn’s nameservers.|
|10. Stop the DNSSEC service at the old nameservers.||Contact the company where your zone was previously managed to confirm their procedures for this process.|
|11. Remove the DS records for old nameservers from parent of the DNSSEC-signed zone.||Click here to Remove records from your zone.|
|12. Remove the ZSK for the old nameservers from the zone now managed by Dyn.||Click here to Remove records from your zone.|