The purpose of this step is to completely switch over to the destination signer. At the end of this step, continuous zone signing has been restarted and will only take place on the destination signer; zone publication will have been resumed and will use the output from the destination signer. The situation at the end of this step is shown in the diagram below (note that the situation on the source signer is greyed-out since the source signer will no longer be in use for the zone that is being migrated by the end of this step).
To reach this situation, the following sub-steps need to be taken:
- Make the latest clean (i.e. unmodified by the steps of this process) input zone available as input on the destination signer
- Add the DNSKEY record for the active ZSK from the source signer to the input zone
- Set the SOA serial number such that it is higher than the SOA serial number of the currently published zone
- Remove any signed zone output and intermediate data on the destination signer
- Restart automated signing on the destination signer
- Do NOT yet restart automated key management or zone upload, this will be done later
- Reconfigure your authoritative name servers to source their data from the destination signer
- Wait for the newly signed zone from the destination signer to be published on your authoritative name servers
- Wait maxTTL(zone) for all the signatures created with the active ZSK from the source signer to disappear from caches and be replaced by signatures created with the active ZSK from the destination signer
Note that the active ZSK from the source signer needs to be published because caches will still contain signatures over resource record sets created with this key. It is therefore still part of the trust chain.