How to Migrate Name Servers for DNS Zones with DNSSEC active

When you are migrating your DNS service to another DNS provider, you have to update the Name Servers for your DNS zone (domain name) at the Registrar. 

The Registrar provides the authoritative answers for DNS queries for Name Servers to your DNS zone. DNSSEC is a security extension for DNS which helps securing that DNSes answer only with information provided by your DNS provider.

How to check if DNSSEC is active for your domain

You can check if DNSSEC is active by using the command line tool dig.

$ dig ds

In the following example we have run this for is using DNSSEC, and when a domain uses it – it will return a DS record in the ANSWER SECTION (like highlighted).

If DNSSEC is not enabled, there will be no DS record. Instead, a SOA record will be returned in the answer section. In that case, updating name servers can just be done without further worries. Only make sure you have all DNS records present and updated to mirror each other in both zones for the 24 hours the switch may take, and everything will go without disruptions.

How to switch Name Servers for domains with DNSSEC

If DNSSEC is active, the name servers can not be changed without breaking the DNS zone, which means that you will experience your domain as down. There are exceptions to this for DNS providers that support DNSSEC transfer state, but most providers don’t support this at the moment.

Time needed: 1 day

To transfer your DNS service to a new provider without any interruptions, you should:

  1. Disable DNSSEC at Registrar

    When you’re ready to move your site to Cloudflare by changing your name servers at your domain registrar, you’ll need to turn off DNSSEC first.

  2. Wait 24 hours

    Once DNSSEC has been turned off, you’ll need to wait for 24 hours before this change has been replicated across the entire internet.

  3. Disable DNSSEC at Name Server (remove DS-records)

    After 24 hours you can remove the DS records used for DNSSEC.

  4. Switch name servers

    Change the name servers to the new name server entries.

  5. Wait 24 hours

    You’ll once again have to wait for 24 hours for this change to be replicated across the internet.

  6. Re-enable DNSSEC

    Once 24 hours have passed, you can turn on DNSSEC again.

Many DNS providers don’t give you the option to do 1 and 3 separately. You will then have to:

  1. Disable DNSSEC at your DNS provider
    (this then updates the registrar, and hopefully removes the DS record gracefully)
  2. Wait 24 hours
  3. Switch name servers.
  4. Wait 24 hours
  5. Re-enable DNSSEC

Both Registrar and Name Server/DNS updates can take up to 24 hours to become active, and propagate throughout the internet. How fast this happens depends on the top level domain, your DNS provider and the defined cache expiry times. Therefore, always be patient while working with DNS changes, and wait for changes to propagate before you move on and make more changes.

The command line tool “whois” will provide information about registered name servers.

You can use dig -t NS to check what name servers are currently active for your domain name. Because entries are cached in multiple levels, the answer you get can be different from what someone else gets – only time will expire DNS caches.