You may need to migrate your DNS hosting from one provider to another DNS provider for different reasons and when you have activated DNSSEC Record, then the job is slightly difficult but potential downtime can be avoided if the steps are done correctly. DNSSEC Record is great since no party can run a man-in-the-middle exploit.
As for real-life examples, we use Tucows/Hover as domain registrar for this website and Rage4 DNS as DNS provider. If we want to suddenly move our DNS hosting from Rage4 to DNSMadeEasy, then it is not easy. Because the DNSSEC is designed to stop this kind of “quick hijacking”. There are many reasons behind planning to move DNS hosting from one provider to another DNS provider, one of the dreaded is loss of access to the account. Loss of access to your DNS account may happen out of technical issues of the provider. For the above-given scenario, you can move your DNS provider with 24-48 hours downtime. But, you may completely avoid downtime if you start the process early and plan fully.
Step 1 : Check the Records and Backup All the DNS Records
If you have a backup of all the DNS records then it will be easy to migrate. Create an account at your planned DNS hosting provider’s website. Copy-paste all the records except the DNSSEC record. Do not publish the records. You’ll not add any new DNSSEC record here, in the new account.
We can check the DNSSEC record of our domain using Dig :
dig ds thecustomizewindows.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ds thecustomizewindows.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50775
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;thecustomizewindows.com. IN DS
;; ANSWER SECTION:
thecustomizewindows.com. 86400 IN DS 45657 10 1 0B42DF107AFF729E6520DAE85CAFB712C0FA3A21
thecustomizewindows.com. 86400 IN DS 45657 10 2 4ECEF3F41FE0A18EE5FC018EF5DE79587C243215463011D8A7BEBEAC 5CF84FFD
thecustomizewindows.com. 86400 IN DS 45657 10 4 B8AF03E972B7DE22D610DC40FAF0228DEA131B83CF224E797FB47661 831BEA3034EC3CDD0290DFAE30FF24B03E13B718
;; Query time: 87 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Sun Oct 03 22:32:46 IST 2021
;; MSG SIZE rcvd: 200
And also by using this excellent DNSSEC analysis tool by Verisign.
Step 2 : Delete the DNSSEC Record from Domain Registrar
Login to the website of your domain registrar, for example, Tucows/Hover in our case. Any standard registrar will have this kind of help page for their DNSSEC service:
Take a screenshot and proceed to delete the records. This process will erase the declaration of authority from the domain registrar. After 24 hours, check the DNSSEC record using Verisign’s tool and Dig. You have to wait till the whole internet forgets the declaration from the domain registrar’s side.
Step 3 : Delete the DNSSEC Record from Old DNS Host
You have kept the new account of the DNS host ready. You need to delete the DNSSEC record associated with the record in the (old) DNS host’s list at least 24 hours before publishing the records from the new account. Now, in case you have lost access, at least for the paid DNS services, no-host will forever host your records for free. If the host can not return your account, they will help to erase the records. At that moment you have to change the nameservers from the domain registrar and publish the new set of DNS records from a new account.
By early turning off the DNSSEC record at the registrar’s website, you are breaking the “trust chain”. Within 48 hours, the DNSSEC record created at DNS host losing its merit. You should re-enable DNSSEC after a week or so when you are sure that the migration has been completed.