Update on stats 2019-11
Michael Grimm
trashcan at ellael.org
Mon Dec 2 18:14:10 CET 2019
Hi,
never mind, but I belief that I found an answer to one of my questions in the meantime.
Michael Grimm <trashcan at ellael.org> wrote:
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>> Also adoption of ECDSA P-256 (algorithm 13) continues to grow,
>> and the number of domains using P-256 KSKs has almost reached
>> parity with RSA-SHA256 (algorithm 8), which is just ahead for
>> now, but likely not for very much longer.
>
>
> My KSK and ZSK are both of algorithm 8 and 2048 bits in size.
>
> Is it correct to assume that -due to the growing adoption of algorithm 13- that this algorithm should be preferred?
> If so, I would like to migrate.
> But, I do have some questions to the community beforehand:
>
> #) Can one mix KSK and ZSK algorithms?
>
> (I do have a rollover of my ZSKs due in a couple of days. Thus starting with ZSKs would be convenient.)
https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over
https://medium.com/nlnetlabs/algorithm-rollover-in-opendnssec-1-3-bf1dfa480aa7
Both articles suggest that one should change the algorithm on both keys during a simultaneously rollover operation with additional precautions.
(Because I am using OpenDNSSEC v2 I will take the second article as a guideline.)
> #) Would it be wise to increase from 2048 to 4096 bits size?
With kind regards,
Michael
More information about the dane-users
mailing list