Seeking Advice on DNSSEC Algorithm Rollover

Mark Elkins mje at
Sun Jun 24 09:51:39 UTC 2012

On Sat, 2012-06-23 at 22:34 +0000, Spain, Dr. Jeffry A. wrote:
> I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8.
> The Bv9ARM doesn't discuss this procedure explicitly as far as I can
> tell, but section 4.9 presents some clues. I'd like to ask the experts
> on this list if the following procedure might accomplish an algorithm
> rollover cleanly.

Before in-line signing existed, I rolled my keys from algorithm 5 to 8.
I was thus using dnssec-signzone to perform the signing. I had also
generated my own keys, both KSK and ZSK. ZSK's and KSK's up until then
were running their own life-cycles independently from each other. I
thought this 'independence' was good as DNSSEC events would happen
spread around the year.

I discovered that if there was not at least one KSK and ZSK of the same
algorithm, dnssec-signzone would fail. If one goes with defaults, KSK
life of one year and ZSK of one month, effectively to roll a key
algorithm and without forcing the roll-over by removing all the old
key/algorithm at the same time, you have to wait for a KSK to 'expire'
then add a new algorithm key pair together. As soon as the last old
algorithm KSK expires, there must no longer be any old algorithm ZSK's
left, but old algorithm ZSK's must be around until this event.
That is - at the time of roll-over - you have a KSK/ZSK pair using the
old algorithm and a pair using the new algorithm, obviously with
appropriate DS's in the Parent.

(That should make sense)

So, if you only have a very few signed zones, its possibly easier to
resign them from scratch, or force a roll-over. (Avoid the pain!)
If you re-do everything at the same time - then DNS signing events may
no longer be scattered around the year - maybe not a good thing.

I'd expect in-line signing to be of a similar nature unless algorithm 7
and 8 keys can as such 'speak for each other'.

My advice, test mixing old and new algorithm keys by signing with
dnssec-signzone and presume the same rules exist for in-line signing
I'd look for a solution that 'upgrades' a zone to using a new Key
algorithm at the scheduled time of a KSK roll-over.  

I'm sure you'll post the results here!
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list