Deprecating DNSSEC algorithms 5 (RSASHA1) and 7 (RSASHA1-NSEC3-SHA1)
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Mar 6 17:55:05 CET 2020
On Fri, Mar 06, 2020 at 05:33:42PM +0100, Peter van Dijk wrote:
> On Thu, 2020-01-09 at 20:19 -0500, Viktor Dukhovni wrote:
> > If/when you do decide to switch algorithms, please perform the migration
> > with care. Algorithm rollovers can be tricky. The basic process is:
> >
> > 1. Publish and activate a ZSK for the new algorithm. Your zone
> > should now be double-signed, which each record having two
> > RRSIGs. Don't forget to bump the SOA.
>
> Your zone is now bogus.
No it is not. The zone is signed with two ZSKs, one for each
algorithm. The idea is sign the zone *at the same time* as
the ZSK is introduced, not add the ZSK and sign later.
> > The reason for all this is to maintain the followin invariants:
> >
> > A. Each algorithm mentioned in the parent zone DS RRset must
> > have a matching KSK in the zone's DNSKEY RRset.
> >
> > B. Each KSK algorithm appearing in the zone's DNSKEY RRset
> > must have a corresponding ZSK signature for each record
> > in the zone.
>
> You are missing:
>
> C. Each algorithm for which a DNSKEY exists, must sign all the records
> in the zone.
And the invariant holds, because it is signed with ZSKs for both
algorithms.
> Because of caching, step 1 potentially breaks this invariant.
>
> https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at
> length (with better wording than I used), and appears to get it right.
--
VIktor.
More information about the dane-users
mailing list