BIND9 DNSSEC algorithm rollover for inline-signed zone

Sebastian Wiesinger sebastian at
Fri Oct 7 16:47:42 UTC 2016

* Mark Andrews <marka at> [2016-10-06 23:33]:
> > is there a guide for an algorithm rollover with BIND9 for an
> > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > find a good guide for it. I already looked at the ISC DNSSEC Guide but
> > it doesn't seem to cover that the RRSIGs made by the new keys need to
> > be published before the DNSKEYs themselves are published in the zone.
> Because there is no such requirement.  Just create the keys in the
> new algorithm and let named sign the zone.
> The DNSSEC RFC's were written with rules for zone publishers and
> rules for zone validators.  These were designed to around the fact
> that the DNS is loosely coherent and that you can't update everything
> simultaneously.  That means thay you can expect that you won't find
> signatures for every alorithm in the DNSKEY RRset in the answers.

Thank you for explaining this for me. I was reading RFC6781, which I
now realize is probably outdated in this regard so I was a bit

> Once named has completed signing the zone with the new algorithm
> and all the slaves have the fully signed zone and the caches have
> expired any RRsets which are only signed with the old algorithm you
> can add DS records for the new algorithm for the zone.

This only applies when I change the DS record, right? I assume that I
can add the new one instantly and remove the old one later when all
caches have expired the old data.



GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
            -- Terry Pratchett, The Fifth Elephant

More information about the bind-users mailing list