Algorithm rollover - OOOOPS!!!
John
john at klam.ca
Tue Jan 20 13:42:50 CET 2015
On 1/17/2015 11:11 AM, Carsten Strotmann wrote:
> doing an DNSSEC algorithm rollover is not simple. To my knowledge there
> is currently not software support for algorithm rollovers. Therefor it
> is important to choose a good algorithm in the beginning.
Choosing an algorithm is probable one of the more important decision to
be made in the planning stage.
I think my mistake was choosing the "wrong" algorithm.
Overall under estimating the complexity of implementing DNSSEC and over
confidence in my ability to implement it were my biggest problems.
Fortunately I started with my lab rat DNS, and the only people affected
were family and some friends.
> RFC 6781, 4.1.4 describes the steps for such a rollover in detail (I
> mention this here for admins that want to start an algorithm rollover
> and come across this post): https://tools.ietf.org/html/rfc6781
Yep, I read this camel of a document.
>
> The Czech TLD registry did an algorithm rollover in 2010 and documented
> their findings -> http://www.ripe.net/ripe/meetings/regional-meetings/moscow-2010/DNSSEC20101001OFNSEC3.pdf
>
I totally agree with them - plan , plan - rehearse rehearse rehearse.
--
John Allen
KLaM
------------------------------------------
definition: Camel, a horse designed by a committee.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150120/5c5845ee/attachment-0001.bin>
More information about the dane-users
mailing list