Transfering a DNSSEC signed domain to cloudflare


#1

Hello All

Can anyone help with this I have a DNSSEC signed domain that I would like to transfer to cloudflare changing the name servers as well. I really need this to happen without any downtime. I am having trouble finding any documentation on how this transfer would be completed.

Thank you for any help

Nathan


#2

The easy way is:

  1. Remove the DS record(s) at your registrar.
  2. Wait.
  3. Move to Cloudflare. Enable DNSSEC.
  4. Wait.
  5. Add Cloudflare DS record at your registrar.

The hard way is difficult (if you’re already using P-256) or very difficult (if you’re changing algorithms too) and Cloudflare may not even support or allow it.

Edit: It’s easy to do without downtime. It’s hard to do without going insecure.


#3

@mnordhoff If I remove the DS record at the registrar would this still not leave a period where some DNS servers around the world have this cached causing resolution errors? How long would you suggest waiting once DS record is removed?


#4

You do need to wait for the TTL to expire to ensure that other resolvers have forgotten about your old DS records. I’d recommend checking the TTL of the DS records at the TLD as the TTLs may vary from TLD to TLD.


#5

This topic was automatically closed after 14 days. New replies are no longer allowed.