DNSSEC upgrade

Tony Finch dot at dotat.at
Wed Apr 28 02:08:25 UTC 2021

Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> Many year ago we set up DNSSEC, our key were generated with sha1 as was
> recommended way back all them years. We too are not DNSSEC guru, so some
> answer may be simple

Well, you are going to do an algorithm rollover, which is one of the more
tricky things you can do with DNSSEC. So, plan to do some testing, a trial
run, with a spare zone that you can break without worrying.

If you like to understand things by getting an idea of the wider context
then there are a couple of RFCs on the general subject of key rollovers.
The parts that are most relevant are the algorithm rollover section in RFC
6781 and the double-KSK section in RFC 7583.


DNSSEC has got easier since those RFCs were written, so you might as well
just skip to the howto bits below :-) It turns out, I wrote most of this
reply over a year ago...

> Also we use ZSK -b 1024 and KSK -b 4096
> even modern google from apnic show example  ZSK of only 1024? is this still
> secure?

The current recommendation for DNSSEC algorithms is:

  * you already know you want to choose something based on sha256 - it's
    secure enough, so there's no need for bigger hashes

  * ecdsa-p256-sha256 (13) is the best choice, because it is widely
    supported and produces small signatures

  * if you must use RSA, use 2048 bit keys for both zsk and ksk. 1024 bits
    is not secure; 2048 has a roughly comparable security level to sha256
    (112ish bits vs 128 bits); 4096 is big and slow and probably not worth
    the cost

  * I would like to be able to deploy ed25519 (a better elliptic curve
    than p256) but it is not yet supported well enough

> Is best practise for doing this, replacing the keys completely, more or
> less like start fresh again?
> We do use inline signing and automatic maintain.

I did a wholesale algorithm rollover from RSASHA1 to p256 around the end
of 2019 and I wrote an algorithm rollover guide for colleagues in other
parts of our university who run their own DNS. It's basically three steps
with lots of waiting in between:


The "Semi-automated DS updates" section probably isn't relevant to you,
and the "Future" section has been made obsolete by dnssec-policy. But the
rest of it should guide you through the essentials.

(Also, the RIPE NCC does now support CDS records.)

And use these DNS checking services to verify that it is working as



f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Rattray Head to Berwick upon Tweed: North or northeast 4 or 5,
occasionally 3 later. Slight or moderate. Showers. Good.

More information about the bind-users mailing list