Mixing Algorithms for DNSSEC

Mark Elkins mje at posix.co.za
Sat Oct 15 20:31:02 UTC 2011

True - no problem with a handful of zones.

Now assume a few thousand being automated from some script.

Wonder if OpenDNSSEC handles this at all?

OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 algorithm - then just switch over to creating KSK's with
RSASHA256 as well.

I just never knew switching Algorithms would bite me. No one ever told

On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote:
> On 15/10/2011 20:32, Mark Elkins wrote:
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the same time start using
> > RSASHA256 on the KSK's (which cycle every month) - making any existing
> > ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
> > further month.
> You don't have to wait.  There's nothing to stop you doing an early key
> rollover for your ZSK, and switching algorithms.  Where you can either
> revoke the old ZSK or change its expiry date -- once you've got the DS
> records in the parent updated, of course.
> 	Cheers,
> 	Matthew
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Elkins <mje at posix.co.za>
Posix Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/b9409ade/attachment.bin>

More information about the bind-users mailing list