[dns-operations] Entering DNSSEC waters

Doug Barton dougb at dougbarton.us
Fri Jan 23 00:18:10 UTC 2015

On 1/22/15 11:21 AM, Stephen Johnson (DIS) wrote:
> I'm about to put my toes into the DNSS waters before something forces be
> to dive in head first. I've been researching and doing to tentative
> planning as to how to implement DNSSEC for our DNS zones.
> I've got a good handle on how we'll doing out key handling and keys
> rotations (from RFC6781). What I'm currently lacking is a roll out and
> testing plan for the live zones. I've read about the DNSSEC roll outs
> that have been discussed on the list.
> What I'm asking for is advice and possibly copies of roll out and
> testing planes other have used. From those I'll cobble together a roll
> plan for our zones.

How wet are your toes? :)

If you haven't already, start with validation. It's easy to enable, and 
you can do it with next to no impact on your existing stuff (assuming 
you have some overhead built into your existing resolver infrastructure.

Rollout and testing are the same as they would be for any other major 
DNS change. Do you have internal-only zones? Create a new one just for 
testing, and put your new validators through their paces. (You'll need 
trust anchors configured for those internal zones on your validating 
resolvers.) Then maybe go on to some other, mission critical zones.

Then move on to a few inconsequential external zones (e.g., zones you 
have parked for trademark protection purposes). You can test them from 
the inside with your validating resolvers, and then you'll want to 
confirm from the outside as well. (Google's public DNS is validating, FYI.)

Once you're feet are thoroughly soaked, you can move on to your 
mission-critical external stuff, and then you're done.

You might want to publish your plans for key sizes, types, rollover, 
etc. here for review.

Also, there is a good book you might want to check out:


I was involved in reviewing the book, but I don't receive any 
compensation for it, in case that matters to you.

Good luck,


More information about the dns-operations mailing list