Does BIND support "conservative" (RFC 6781, sec 4.1.4) algorithm rollovers?

Michael Sinatra michael at
Tue Aug 31 00:39:19 UTC 2021


I have, in the past, used the "conservative" approach to performing 
algorithm rollovers for various domains.  For many domains, this is 
probably overkill, but I'd prefer to have the option of doing it, 
especially for those mission-critical domains where you really don't 
want to rely simply on the hope that nobody who needs to reach you (or 
your org/company) is using a resolver that is still following the 
strictest interpretation of RFC 4035, section 2.2.

In the past, I have handled this completely manually, signing the zone 
using dnssec-signzone to sign the zone with keys of both algs before 
(again manually) including the the new alg keys in the DNSKEY RRSET. 
But for zones which I am inline-signing as a provider for someone else, 
I would like to use a more automated method.  It doesn't appear that 
BIND currently supports this, either with dnssec-keymgr and 
'inline-signing' or with KASP.

I did try the trick of setting the key metadata manually ('publish' in 
the future and 'activate' in the past), but BIND 'inline-signing' would 
not sign the zone prior with the key prior to its publication, despite 
my timing metadata settings.

So I am assuming that only the "liberal" approach is supported.  One 
thing I thought of was trying a "moderate" approach, where the various 
TTLs are manipulated so that the zone RRSIGs expire quickly before the 
new alg is added and then flipping it so that the DNSKEY RRSET expires 
quickly and the zone/RRSIG TTLs stay in cache longer.  But that is still 
a fairly tricky approach and I am not sure it would work...


More information about the bind-users mailing list