dnskey algorithm update
carl at byington.org
Wed Jan 6 20:14:21 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
My zones are currently using algorithm 5 (RSASHA1), with two KSKs and
two ZSKs with overlapping timers. In preparation for updating to
algorithm 8 (RSASHA256), I read:
The bind-users thread "KSK signing all records; NSEC3 algorithm
Is there a more authoritative document that describes the algorithm roll
over procedure? It seems that I need to:
generate new ZSK and KSKs using algorithm 8
sign the zone with all the keys
wait one ttl cycle, then publish a new dnskey rrset
wait one ttl cycle, then upload the new ds rrset
eventually, remove the old KSKs from the dnskey rrset,
but still use them to sign the zone
wait one ttl cycle, then resign the zone without the
For that to work, I need to get dnssec-signzone to sign a zone without
publishing the keys (activate < publish) and (inactivate > delete).
'man dnssec-signzone' under -S smart signing, talks about the following
timers - (publication, activation, revocation, unpublication, deletion).
That man page implies that dnssec-signzone will always publish keys that
it has used to sign the zone. The use of 'unpublication' and lack of
mention of 'inactivate' seems to be an oversight.
'man dnssec-settime' documents the following timers - (P publication, A
activation, R revocation, I retired (inactive?), D deleted)
'dnssec-settime -p all' uses (Created, Publish, Activate, Revoke,
Inactive, Delete) names.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the bind-users