Algorithm rollover - OOOOPS!!!

John john at
Tue Jan 20 13:42:50 CET 2015

On 1/17/2015 11:11 AM, Carsten Strotmann wrote:

> doing an DNSSEC algorithm rollover is not simple. To my knowledge there
> is currently not software support for algorithm rollovers. Therefor it
> is important to choose a good algorithm in the beginning.
Choosing an algorithm is probable one of the more important decision to 
be made in the planning stage.
I think my mistake was choosing the "wrong" algorithm.
Overall under estimating the complexity of implementing DNSSEC and over 
confidence in my ability to implement it were my biggest problems.
Fortunately I started with my lab rat DNS, and the only people affected 
were family and some friends.
> RFC 6781, 4.1.4 describes the steps for such a rollover in detail (I
> mention this here for admins that want to start an algorithm rollover
> and come across this post):
Yep, I read this camel of a document.
> The Czech TLD registry did an algorithm rollover in 2010 and documented
> their findings ->
I totally agree with them - plan , plan - rehearse rehearse rehearse.

John Allen
definition: Camel, a horse designed by a committee.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list