DNSSEC is a great security feature for the domains. Previously we published guides on how to enable DNSSEC and DANE TLSA record.
Take that, you use Hover as your domain registrar and DNSMadeEasy as your DNS provider. Now you want to move to CloudFlare from DNSMadeEasy. If you suddenly change the DNS with the DNSSEC record active, the website will not open because the function of DNSSEC is to from getting DNS hijacked. As DNSSEC is a too serious matter, we suggest using a set of premium domain registrars and DNS providers. If these services get closed with short notice, it will be difficult to avoid a long downtime of 48 hours or more.
So, in these situations, you need to plan the decision of moving DNS hosting from one provider to another provider.
---
Step 1: Check the Existing Records
You can check the DNS cache for existing records with the simple dig tool:
1 | dig ds thecustomizewindows.com |
In our case, we received this response:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> ds thecustomizewindows.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53163 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;thecustomizewindows.com. IN DS ;; ANSWER SECTION: thecustomizewindows.com. 86400 IN DS 45657 10 1 0B42DF107AFF729E6520DAE85CAFB712C0FA3A21 thecustomizewindows.com. 86400 IN DS 45657 10 2 4ECEF3F41FE0A18EE5FC018EF5DE79587C243215463011D8A7BEBEAC 5CF84FFD thecustomizewindows.com. 86400 IN DS 45657 10 4 B8AF03E972B7DE22D610DC40FAF0228DEA131B83CF224E797FB47661 831BEA3034EC3CDD0290DFAE30FF24B03E13B718 ;; Query time: 313 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sun Apr 30 22:03:36 IST 2023 ;; MSG SIZE rcvd: 200 |
Look at ANSWER: 3. The above record is initiated from the domain registrar’s level. There are 3 DS records for thecustomizewindows.com,:
DS=45657/SHA-384 has algorithm RSASHA512
DS=45657/SHA-256 has algorithm RSASHA512
DS=45657/SHA-1 has algorithm RSASHA512
Three are generated by the domain registrar to allow a wider choice. In the same way, we can check the TLS record:
1 | dig tls thecustomizewindows.com |
Below is the response:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> tls thecustomizewindows.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21750 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;tls. IN A ;; AUTHORITY SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023043000 1800 900 604800 86400 ;; Query time: 54 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sun Apr 30 22:06:15 IST 2023 ;; MSG SIZE rcvd: 107 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15995 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;thecustomizewindows.com. IN A ;; ANSWER SECTION: thecustomizewindows.com. 3600 IN A 74.208.101.37 ;; Query time: 316 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sun Apr 30 22:06:15 IST 2023 ;; MSG SIZE rcvd: 68 |
We will also check the records by DNSSEC analysis tool by Verisign.
Step 2: Disable or Delete the Records from Domain Registrar
Do not touch the records at the DNS provider’s level. Login to your Domain Registrar’s account and disable or delete the DNSSEC record. Before disabling/deletion, you may ask your Domain Registrar for support or documentation. Some DNS providers require a phone call to disable the record.
We suggest waiting for one week after the disabling/deletion. Officially you need to wait for 24 hours. On the 7th day, again check the DS record by running the dig command and using the DNSSEC analysis tool by Verisign.
1 | dig ds abhishekghosh.com |
The response will be empty like this one:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> ds abhishekghosh.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7877 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;abhishekghosh.com. IN DS ;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1682873321 1800 900 604800 86400 ;; Query time: 255 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sun Apr 30 22:18:51 IST 2023 ;; MSG SIZE rcvd: 119 |
Now the response is ANSWER: 0. So, DNSSEC is not active. You can now delete the associated records from DNS provider’s account. Again, wait for another 24-48 hours.
Step 3 : Move to New DNS Provider
Now you can move to any new DNS provider. Once you are satisfied with the move and decide to stay with the DNS provider, follow our guides to add DNSSEC and TLSA records.
