Algorithm rollover

John john at
Mon Jan 12 15:29:59 CET 2015

This may be the wrong mailing list but I cannot find another concerning 
DNSSEC  general.

When I originally setup DNSSEC I used the RSASHA1 algorithm as this 
seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the 
RSASHA256... can also be used with NSEC3.
As a result I would like change algorithm. I am using my families domain 
rather than a /live/ domain for testing  which would seem to give me one 
of two options.
1) delete the keys that have been published including the .ca (? 
forgotten tech term), publish new keys for the site and wait for the 
dust to settle. As the site is small, not heavily used and does not 
support anything critical this may be the simplest solution. Problem, I 
don't learn anything!
2)  generate new keys, publish them as new for rollover at all levels 
including TLD (?), on the date the current keys become inactive (or new 
keys become active) resign the domain.
I am not sure that 2 is correct, and additionally I am not sure that I 
want to take the delay.
John Allen
OK, so what is the speed of dark?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dane-users mailing list