ietf-dane at dukhovni.org
Mon Jan 12 16:48:46 CET 2015
On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
> This may be the wrong mailing list but I cannot find another concerning
> DNSSEC general.
Note, this list does not have very many subscribers as yet (just
20 at present), and it seems you're posting from a different addres
than the one you subscribed with (you've left off the address
extension) so the list moderators have to manually release your
> When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed
> to be the only one that could be used with NSEC3.
> However, further reading (and/or changes in DNSSEC) would indicate the
> RSASHA256... can also be used with NSEC3.
Yes, algorithm 7 vs algorithm 8.
> As a result I would like change algorithm.
Note that, for example, the .org zone is also using algorithm 7.
You're in good company.
> 1) delete the keys that have been published including the .ca (? forgotten
> tech term), publish new keys for the site and wait for the dust to settle.
The correct way to do algorithm rollover in DNSSEC is:
* First include additional keys in your zone (publish DNSKEY
records at the zone apex for both algorithm 7 and 8).
* Wait a few TTLs after all the secondary nameservers also have the
* Publish additional DS records matching the algorithm 8 KSK via
* Wait a couple of parent zone TTLs.
* Delete the algorithm 7 DS RRs.
* Wait a few more parent zone TTLs.
* Delete the algorithm 7 DNSKEY records from the zone apex.
The important invariant here is that all times each DS record from
the parent zone unexpired in any resolvers cache or served by the
parent zone must match some DNSKEY at the zone apex unexpired in
that resolvers cache or served by the zone's nameservers.
More information about the dane-users