Mixing Algorithms for DNSSEC
mje at posix.co.za
Sat Oct 15 19:32:57 UTC 2011
On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <mje at posix.co.za> wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and
> visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused???? - can not sign (or generate a new
> Verifying the zone using the following algorithms:
> Missing self signing KSK for algorithm RSASHA256
> The zone is not fully signed for the following
> dnssec-signzone: fatal: DNSSEC completeness test
> When you include DNSKEYS with multiple algorithms, both the DNSKEY
> RRset and other RRsets in the zone must be signed with each algorithm
> . Because you designed your RSASHA256 DNSKEY as a KSK,
> dnssec-signzone is only using it to sign the DNSKEY RRset, not other
> RRsets. To resolve this, create a ZSK with algorithm RSASHA256 to
> your zone.
So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every month) - making any existing
ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
And Algorithms have a tendency to be updated reasonably frequently...
every 2 to 5 years!
That is not very friendly from a migration point of view. It would
probably be easier to first completely remove DNSSEC from a Zone then
re-install it from scratch with the new algorithms. I'm still playing
(after two years) - I don't mind. Others???? :-(
>  See http://tools.ietf.org/html/rfc4035 - section 2.2
Mark Elkins <mje at posix.co.za>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4007 bytes
Desc: not available
More information about the bind-users