<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 2019/12/02 12:16, Michael Grimm
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:E837B0DF-7AC5-405A-97BA-6EA5BC98D889@ellael.org">
<pre class="moz-quote-pre" wrap="">Hi
Viktor Dukhovni <a class="moz-txt-link-rfc2396E" href="mailto:ietf-dane@dukhovni.org"><ietf-dane@dukhovni.org></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> Also adoption of ECDSA P-256 (algorithm 13) continues to grow,
and the number of domains using P-256 KSKs has almost reached
parity with RSA-SHA256 (algorithm 8), which is just ahead for
now, but likely not for very much longer.
</pre>
</blockquote>
</blockquote>
I run a small ISP in South Africa - with about 2000 domains. About
200 of these are DNSSEC signed. I'm in the process of migrating them
from algo 8 to algo 13. Its all scripted and the conversions are all
happening automatically. <b>The KSK-ZSK chain has to be complete</b><b>
through with at least one common Algorithm.</b> I also don't want
to re-sign everything at the same time - so everything is spread out
over a year. I keep KSK's for a year and ZSK's for a month.<br>
ZSK's are dealt with totally internally where as a KSK rollover
means talking to the Parent zone and changing DS records - so I'm
timing everything with my KSK's.<br>
<br>
<p>When a KSK is due to roll, create both a Algo-13 KSK and ZSK.
iUpload the appropriate DS. Once the new DS record is "seen" (and
give it another day) - then delete the old DS, KSK and ZSK.</p>
<p>The KSK and ZSK signatures are much shorter - so you are less
lightly to be used as a DDOS source for a DNS Denial of service
attack (the amplification is way lower).</p>
<p><b>You don't need to increase the Key Size. </b><br>
</p>
<blockquote type="cite"
cite="mid:E837B0DF-7AC5-405A-97BA-6EA5BC98D889@ellael.org">
<pre class="moz-quote-pre" wrap="">
My KSK and ZSK are both of algorithm 8 and 2048 bits in size.
Is it correct to assume that -due to the growing adoption of algorithm 13- that this algorithm should be preferred?
If so, I would like to migrate.
But, I do have some questions to the community beforehand:
#) Can one mix KSK and ZSK algorithms?
(I do have a rollover of my ZSKs due in a couple of days. Thus starting with ZSKs would be convenient.)
#) Would it be wise to increase from 2048 to 4096 bits size?
Thanks in advance and with kind regards,
Michael
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part3.A5AB5BA0.75AB2BE4@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part4.17D053C2.57F781E2@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>