Mixing Algorithms for DNSSEC

Casey Deccio casey at deccio.net
Sat Oct 15 22:20:58 UTC 2011

On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins <mje at posix.co.za> wrote:

> True - no problem with a handful of zones.
> Now assume a few thousand being automated from some script.
> Wonder if OpenDNSSEC handles this at all?
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the monthly KSK's with RSASHA1 until it sees a ZSK with the
> RSASHA256 algorithm - then just switch over to creating KSK's with
> RSASHA256 as well.
There are some documented procedures for algorithm rollovers in RFC 4641bis
that you should probably look at.  The current draft is at:


see section 4.1.5.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/078716e3/attachment.html>

More information about the bind-users mailing list