[Pdns-users] DNSSEC Algorithm Rollover Documentation

Tony Finch dot at dotat.at
Tue May 4 21:07:33 UTC 2021 

Klaus Darilion <klaus.darilion at nic.at> wrote:
> Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote:
> >
> > Tony Finch has also documented how to do an algorithm rollover,
> > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> I am not sure - Is this the conservative or liberal approach? I would
> think this is not conservative as the new DNSKEYs are published together
> with the new RRSIGs.

Correct, it's the easy "liberal" approach. The "conservative" approach was
necessary to work with very old versions of unbound which were excessively
strict. (There is a requirement in the DNSSEC RFCs that is supposed to
apply to signers only, but unbound also checked it as a validator.)

That issue is long gone now.

I felt safe using the easier "liberal" approach following reports from a
number of TLDs that it worked OK for them. (I can't remember which ones
now, but they did presentations at past DNS-OARC meetings.)

> Further, in the liberal approach, it is necessary that KSK and ZSK
> algorithm rollover must be done at the same time, or may it be allowed
> to just introduce a KSK with new algorithm and still use the old ZSK?

DNSSEC algorithms are a whole-zone thing. You will probably find that if
you generate only one key for a new algorithm, your signer will use it as
a CSK ("combined", signing both zone and keys).

In any case, before you change the DS records, the whole zone has to be
signed with the new algorithm and you have to wait for all old
single-algorithm signatures to expire from caches - even if you do a
double-DS rollover. This is so that if a validator sees both old and new
algorithm in your DS records, and chooses to prefer the newer algorithm
and ignore the old and busted algorithm, it is still sure to be able to
validate.

Tony (explaining in detail for everyone on the list, not just those in the
headers of this message!)
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Lands End to St Davids Head including the Bristol Channel: West or
northwest 4 to 6. Rough until later in west, otherwise slight or
moderate. Showers. Good, occasionally moderate.

More information about the Pdns-users mailing list