dnskey algorithm update

Carl Byington carl at byington.org
Wed Jan 6 20:14:21 UTC 2016

Hash: SHA1

My zones are currently using algorithm 5 (RSASHA1), with two KSKs and
two ZSKs with overlapping timers. In preparation for updating to
algorithm 8 (RSASHA256), I read:

  The bind-users thread "KSK signing all records; NSEC3 algorithm

Is there a more authoritative document that describes the algorithm roll
over procedure? It seems that I need to:

  generate new ZSK and KSKs using algorithm 8
  sign the zone with all the keys
  wait one ttl cycle, then publish a new dnskey rrset
  wait one ttl cycle, then upload the new ds rrset
  eventually, remove the old KSKs from the dnskey rrset,
    but still use them to sign the zone
  wait one ttl cycle, then resign the zone without the
    old KSKs.

For that to work, I need to get dnssec-signzone to sign a zone without
publishing the keys (activate < publish) and (inactivate > delete).

'man dnssec-signzone' under -S smart signing, talks about the following
timers - (publication, activation, revocation, unpublication, deletion).

That man page implies that dnssec-signzone will always publish keys that
it has used to sign the zone. The use of 'unpublication' and lack of
mention of 'inactivate' seems to be an oversight.

'man dnssec-settime' documents the following timers - (P publication, A
activation, R revocation, I retired (inactive?), D deleted)

'dnssec-settime -p all' uses (Created, Publish, Activate, Revoke,
Inactive, Delete) names.

Version: GnuPG v2.0.14 (GNU/Linux)


More information about the bind-users mailing list