Algorithm rollover

John john at klam.ca
Mon Jan 12 21:28:36 CET 2015 

On 1/12/2015 10:48 AM, Viktor Dukhovni wrote:
> On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
>
>> This may be the wrong mailing list but I cannot find another concerning
>> DNSSEC  general.
> Note, this list does not have very many subscribers as yet (just
> 20 at present), and it seems you're posting from a different addres
> than the one you subscribed with (you've left off the address
> extension) so the list moderators have to manually release your
> posts.

That's what comes of trying to be cute. I was trying to make life easier 
for myself and avoid having create a filter.

>> When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed
>> to be the only one that could be used with NSEC3.
>>
>> However, further reading (and/or changes in DNSSEC) would indicate the
>> RSASHA256... can also be used with NSEC3.
> Yes, algorithm 7 vs algorithm 8.
>
>> As a result I would like change algorithm.
> Note that, for example, the .org zone is also using algorithm 7.
> You're in good company.
>
>> 1) delete the keys that have been published including the .ca (? forgotten
>> tech term), publish new keys for the site and wait for the dust to settle.
> The correct way to do algorithm rollover in DNSSEC is:
>
>      * First include additional keys in your zone (publish DNSKEY
>        records at the zone apex for both algorithm 7 and 8).
>
>      * Wait a few TTLs after all the secondary nameservers also have the
>        new keys.
>
>      * Publish additional DS records matching the algorithm 8 KSK via
>        your registrar.
>
>      * Wait a couple of parent zone TTLs.
>
>      * Delete the algorithm 7 DS RRs.
>
>      * Wait a few more parent zone TTLs.
>
>      * Delete the algorithm 7 DNSKEY records from the zone apex.
>
> The important invariant here is that all times each DS record from
> the parent zone unexpired in any resolvers cache or served by the
> parent zone must match some DNSKEY at the zone apex unexpired in
> that resolvers cache or served by the zone's nameservers.
>
Which is what I thought.

-- 
John Allen
KLaM
------------------------------------------
You are off the edge of the map, mate. Here there be monsters!

More information about the dane-users mailing list