Deprecating DNSSEC algorithms 5 (RSASHA1) and 7 (RSASHA1-NSEC3-SHA1)
Peter van Dijk
peter.van.dijk at powerdns.com
Fri Mar 6 17:33:42 CET 2020
On Thu, 2020-01-09 at 20:19 -0500, Viktor Dukhovni wrote:
> If/when you do decide to switch algorithms, please perform the migration
> with care. Algorithm rollovers can be tricky. The basic process is:
>
> 1. Publish and activate a ZSK for the new algorithm. Your zone
> should now be double-signed, which each record having two
> RRSIGs. Don't forget to bump the SOA.
Your zone is now bogus.
> The reason for all this is to maintain the followin invariants:
>
> A. Each algorithm mentioned in the parent zone DS RRset must
> have a matching KSK in the zone's DNSKEY RRset.
>
> B. Each KSK algorithm appearing in the zone's DNSKEY RRset
> must have a corresponding ZSK signature for each record
> in the zone.
You are missing:
C. Each algorithm for which a DNSKEY exists, must sign all the records
in the zone.
Because of caching, step 1 potentially breaks this invariant.
https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at
length (with better wording than I used), and appears to get it right.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dane-users
mailing list