DNSSEC key rollover is scheduled, how do I do that without disruption?
DNSSEC chains signatures from registrar (DS record) to your DNS zone (DNSKEY). A rollover that is not phased gives 'BOGUS' at resolvers and your domain validates as broken.
Try this first
- 1Lower DS and DNSKEY TTLs first (often 1 hour). Wait twice that TTL before rolling, otherwise old DS sits in cache while a new key is active.
- 2Two safe paths: 'Double Signature' (two KSKs active at once, zone signed twice) or 'Pre-publish' (publish new DNSKEY before using it). Most managed DNS providers (Cloudflare, Route 53) handle this automatically; on-premise BIND does not.
- 3On managed DNS: trigger the rollover in the UI or API and wait. On BIND/PowerDNS: follow the official rollover procedure step by step, do not skip wait times.
- 4Update the DS record at the registrar once the new key DS is ready. For .nl domains this goes via your registrar to SIDN; some registrars accept CDS records so the zone publishes it itself.
- 5Verify with DNSViz (dnsviz.net) or Verisign DNSSEC Debugger: green = chain valid, red/yellow = mismatch somewhere. Do not go live until it is fully green.
When to bring us in
Chain-of-trust errors in production (validating resolvers see your domain as BOGUS, non-existent): file with your DNS provider and/or registrar in parallel with a temporary DNSSEC disable. We run this kind of rollover with a second person on the line for double checks.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.