<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p><br>
</p>
<p>I implemented DNSSEC for my personal domain a good while ago with
an older Bind and back then, I used RSASHA1-NSEC3-SHA1 algorithm,
which by now is not recommended... So I'm going to change the
algorithm, probably to ECDSAP256SHA256, which should also be NSEC3
capable.</p>
<p>Since my domain is small and rarely changes, I'm not using any
fancy updating features - I manage it manually, by editing the
non-signed version of the zone file and then signing it to create
a signed version.</p>
<p><br>
</p>
<p>Here I'd like to verify that I understand the steps required to
change DNSEC key / algorithm without disruption:</p>
<p><br>
</p>
<p>1. create new keys for my zone</p>
<ul>
<li>dnssec-keygen -a ECDSAP256SHA256 -n ZONE mydomain</li>
<li>dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE mydomain</li>
</ul>
<p><br>
</p>
<p>2. include new keys in my zone while keeping old keys too:<br>
</p>
<p> $INCLUDE Kmydomain.+008+14884.key <- old key<br>
$INCLUDE Kmydomain.+008+27618.key <- old key<br>
$INCLUDE Kmydomain.+013+10503.key <- new key<br>
$INCLUDE Kmydomain.+013+39532.key <- new key</p>
<p><br>
</p>
<p>3. sign the zone file</p>
<p> /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random |
sha1sum | cut -b 1-16) -e +3024000 -o mydomain -t mydomain.hosts</p>
<p><br>
</p>
<p>4. ask the registrar to add new DS record to TLD (I have to do
this by mail, there is no 'self-service' UI)</p>
<p>5. wait at least one TTL (making sure to use the longest TTL in
my zone)</p>
<p>6. ask the registrar to remove old DS record(s) (I don't quite
remember why, but I had two)</p>
<p>7. wait another TTL period</p>
<p>8. remove old keys from zone</p>
<p>9. re-sign the zone<br>
</p>
<p><br>
</p>
<p>Will that be OK?</p>
<p><br>
</p>
<p> Best regards,</p>
<p> Danilo</p>
<p><br>
</p>
</body>
</html>