Change DNSSEC algorithm and switch to use KASP

Matthias Fechner idefix at
Sat Apr 25 08:08:13 UTC 2020

Dear all,

I followed now the series here (again, thanks a lot to make this public!):

Just now I only sign one domain which is using the "auto-dnssec maintain;".
What I understood from the series is that KASP does not support
switching from "auto-dnssec maintain" to KASP, yet.

As my single domain is using RSASHA256 and I want to use one algorithm
(ECDSA256)  for each domain I maintain in my DNS servers (to would like
to have a clean start with KASP).
I just wanted to make sure I do not break this single domain
( which is already signed.
I cannot remove DNSSEC before the DS has disappeared on the parent.

What I understood so far is using the following procedure (to disable
DNSSEC for this single specific domain):
- ask the parent zone to remove the DS (as long as the DS exists in the
parent zone I must not remove DNSSEC as that would break the zone)
- after the DS disappeared in the parent zone, wait for at least the TTL
of the DS (86400) + maybe one day (safety)
- now my zone does not require to have DNSSEC and I can remove DNSSEC
- instruct bind to delete the key using dnssec-settime to remove the key
(dnssec-settime -I +1d -D +2d keyfile)
- wait 2 days
- check no RRSIGS are existing for the domain
- wait for one day (TTL) + 1 say (safety) = at least 2 days
- now start to use KASP and let it create keys and sign your zone using
ecdsa256 (is this a recommended algo for using DNSSEC?)
- wait till CDS and CDNSKEY appears in the zone (bind ensures here the
TTLs match, so it will not add the CDS before required time is passed)
- ask parent to add the DS to their zone
- the moment the DS is added on parent, DNSSEC is enforced

If I do not ask the parent to add the DS key, I can keep DNSSEC for the
zones, but it will not be enforced or?
(this does not work if the registra would import the DS because CDS and
CDNSKEY keys are existing, so be carefull here)

I'm talking here about zone

The TTL on the parent seems to be 86400:
dig +dnssec +multi -t DS @A.GTLD-SERVERS.NET
...            86400 IN DS 64539 10 2 (
                                EDC9C9B541AFB5D52D8D )            86400 IN DS 64539 10 1 (
                                81EF72A9B9D92A9FD4F50856D1371DA05F5ACC27 )

The TTL in my zone is also 86400, so I used this for all waiting times.

Thanks a lot for any comments!



"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

More information about the bind-users mailing list