[Pdns-users] DNSSEC Algorithm Rollover Documentation

Klaus Darilion klaus.darilion at nic.at
Tue May 4 20:40:25 UTC 2021


Hi Daniel!

Thanks for the info.

> -----Ursprüngliche Nachricht-----
> Von: Daniel Stirnimann <daniel.stirnimann at switch.ch>
> Gesendet: Montag, 3. Mai 2021 11:27
> An: Klaus Darilion <klaus.darilion at nic.at>; Pdns-
> users at mailman.powerdns.com
> Betreff: Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation
> 
> Hello Klaus,
> 
> The DNSSEC Operational Practices (RFC 6781) documents this in chapter
> 4.1.4 Algorithm Rollovers:
> https://tools.ietf.org/html/rfc6781#section-4.1.4
> 
> The document mentions both a conservative and a liberal approach. You
> can follow the liberal approach as by now all software handle this case
> correctly.

The question is - are all ISPs using the new software versions that support the liberal approach?

> It has even been done by TLDs.

That's a good indicator.

> Tony Finch has also documented how to do an algorithm rollover,
> https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html

I am not sure - Is this the conservative or liberal approach? I would think this is not conservative as the new DNSKEYs are published together with the new RRSIGs.

Further, in the liberal approach, it is necessary that KSK and ZSK algorithm rollover must be done at the same time, or may it be allowed to just introduce a KSK with new algorithm and still use the old ZSK?

thanks
Klaus




More information about the Pdns-users mailing list