[Pdns-users] DNSSEC Algorithm Rollover Documentation

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon May 3 09:27:00 UTC 2021


Hello Klaus,

The DNSSEC Operational Practices (RFC 6781) documents this in chapter
4.1.4 Algorithm Rollovers:
https://tools.ietf.org/html/rfc6781#section-4.1.4

The document mentions both a conservative and a liberal approach. You
can follow the liberal approach as by now all software handle this case
correctly. It has even been done by TLDs.

Tony Finch has also documented how to do an algorithm rollover,
https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html

Daniel



On 03.05.21 10:25, Klaus Darilion via Pdns-users wrote:
> Hi all!
> 
> Is there somewhere documentation for an algorithm rollover?
> 
> The cryptokeys table recently received the "published" column to "Implement published and unpublished dnskeys to allow algorith rollovers.":
> https://github.com/PowerDNS/pdns/commit/3391829938b4544a59c93c4734532ce2fdc311bf#diff-de175d2b28860458f7c4a143ab82aa94b44e5ac11fc51008fb4ac9b414130f91
> 
> But I do not find any documentation when to "publish" or "unpublish" a key during an algorithm rollover. In may case the key handling is completely outside of PDNS.
> 
> Thanks
> Klaus
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

-- 
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, www.switch.ch


More information about the Pdns-users mailing list