Mixing Algorithms for DNSSEC

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Oct 15 19:58:34 UTC 2011

On 15/10/2011 20:32, Mark Elkins wrote:
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every month) - making any existing
> ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
> further month.

You don't have to wait.  There's nothing to stop you doing an early key
rollover for your ZSK, and switching algorithms.  Where you can either
revoke the old ZSK or change its expiry date -- once you've got the DS
records in the parent updated, of course.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/7b4f20da/attachment.bin>

More information about the bind-users mailing list