[Pdns-users] DNSSEC Algorithm Rollover Documentation

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon May 3 09:27:00 UTC 2021

Hello Klaus,

The DNSSEC Operational Practices (RFC 6781) documents this in chapter
4.1.4 Algorithm Rollovers:

The document mentions both a conservative and a liberal approach. You
can follow the liberal approach as by now all software handle this case
correctly. It has even been done by TLDs.

Tony Finch has also documented how to do an algorithm rollover,


On 03.05.21 10:25, Klaus Darilion via Pdns-users wrote:
> Hi all!
> Is there somewhere documentation for an algorithm rollover?
> The cryptokeys table recently received the "published" column to "Implement published and unpublished dnskeys to allow algorith rollovers.":
> https://github.com/PowerDNS/pdns/commit/3391829938b4544a59c93c4734532ce2fdc311bf#diff-de175d2b28860458f7c4a143ab82aa94b44e5ac11fc51008fb4ac9b414130f91
> But I do not find any documentation when to "publish" or "unpublish" a key during an algorithm rollover. In may case the key handling is completely outside of PDNS.
> Thanks
> Klaus
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, www.switch.ch

More information about the Pdns-users mailing list