Mixing Algorithms for DNSSEC

Mark Elkins mje at posix.co.za
Sat Oct 15 19:32:57 UTC 2011

On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <mje at posix.co.za> wrote:
>         Basically - create a KSK and ZSK with RSASHA1 - Sign - and
>         visibly check
>         the results.
>         Add a new KSK using RSASHA256 - prep the zone and sign again.
>         1 - Signer is confused???? - can not sign (or generate a new
>         Signed
>         Zone)...
>                Verifying the zone using the following algorithms:
>         RSASHA1.
>                Missing self signing KSK for algorithm RSASHA256
>                The zone is not fully signed for the following
>         algorithms:
>                RSASHA256.
>                dnssec-signzone: fatal: DNSSEC completeness test
>         failed.
> When you include DNSKEYS with multiple algorithms, both the DNSKEY
> RRset and other RRsets in the zone must be signed with each algorithm
> [1].  Because you designed your RSASHA256 DNSKEY as a KSK,
> dnssec-signzone is only using it to sign the DNSKEY RRset, not other
> RRsets.  To resolve this, create a ZSK with algorithm RSASHA256 to
> your zone.


So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every month) - making any existing
ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
further month.


And Algorithms have a tendency to be updated reasonably frequently...
every 2 to 5 years! 

That is not very friendly from a migration point of view. It would
probably be easier to first completely remove DNSSEC from a Zone then
re-install it from scratch with the new algorithms. I'm still playing
(after two years) - I don't mind. Others???? :-(

> Regards,
> Casey
> [1] See http://tools.ietf.org/html/rfc4035 - section 2.2

Mark Elkins <mje at posix.co.za>
Posix Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/3dc92051/attachment.bin>

More information about the bind-users mailing list