Algorithm rollover - OOOOPS!!!
john at klam.ca
Sat Jan 17 15:31:52 CET 2015
On 1/12/2015 3:28 PM, John wrote:
> On 1/12/2015 10:48 AM, Viktor Dukhovni wrote:
>> On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
>>> This may be the wrong mailing list but I cannot find another concerning
>>> DNSSEC general.
>> Note, this list does not have very many subscribers as yet (just
>> 20 at present), and it seems you're posting from a different addres
>> than the one you subscribed with (you've left off the address
>> extension) so the list moderators have to manually release your
> That's what comes of trying to be cute. I was trying to make life
> easier for myself and avoid having create a filter.
>>> When I originally setup DNSSEC I used the RSASHA1 algorithm as this
>>> to be the only one that could be used with NSEC3.
>>> However, further reading (and/or changes in DNSSEC) would indicate the
>>> RSASHA256... can also be used with NSEC3.
>> Yes, algorithm 7 vs algorithm 8.
>>> As a result I would like change algorithm.
>> Note that, for example, the .org zone is also using algorithm 7.
>> You're in good company.
>>> 1) delete the keys that have been published including the .ca (?
>>> tech term), publish new keys for the site and wait for the dust to
>> The correct way to do algorithm rollover in DNSSEC is:
>> * First include additional keys in your zone (publish DNSKEY
>> records at the zone apex for both algorithm 7 and 8).
>> * Wait a few TTLs after all the secondary nameservers also have the
>> new keys.
>> * Publish additional DS records matching the algorithm 8 KSK via
>> your registrar.
>> * Wait a couple of parent zone TTLs.
>> * Delete the algorithm 7 DS RRs.
>> * Wait a few more parent zone TTLs.
>> * Delete the algorithm 7 DNSKEY records from the zone apex.
>> The important invariant here is that all times each DS record from
>> the parent zone unexpired in any resolvers cache or served by the
>> parent zone must match some DNSKEY at the zone apex unexpired in
>> that resolvers cache or served by the zone's nameservers.
> Which is what I thought.
Well I tied it .........!/!!/***
I don't know what I did wrong but at some point the algorithm 8 KSK
became a ZSK and things went downhill from there real fast.
In the end I decided that I had lost control and that as nobody could be
relying on my DNSSEC info that a tear-down and rebuild was required.
I obviously screwed up, as I said I am not sure the what, when or how!
My only advice to anybody thinking of doing this is be very cautious. I
would suggest setting up a test server (if you have the resources) and
working upon that. Then once everything looks OK switch it to live.
As every cat owner knows, nobody owns a cat.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
More information about the dane-users