<div dir="ltr"><br><div>That's a good resource. Thanks, Hugo.</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 1:40 PM Hugo Salgado <<a href="mailto:hsalgado@nic.cl">hsalgado@nic.cl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 11:23 14/09, frank picabia wrote:<br>
> Hi,<br>
> <br>
> I'm at the point in DNSSEC algorithm migration<br>
> where I have two types of keys involved in signing.<br>
> Both algorithm 7 and 8 are in use.<br>
> <br>
> The top level domain registrar also has DS keys set up for both 7 and 8.<br>
> <br>
> I need to coordinate pulling out algorithm 7 with the domain registrar so<br>
> our domain will be running against only algo 8.<br>
> <br>
> Should the TLD registrar remove 7 first, or should I remove signing of zone<br>
> with the algo 7 keys before they make their change?<br>
> <br>
> I noticed that when I tried removing signing with the algo 7 keys, and<br>
> checked<br>
> the DNS state at <a href="https://dnsviz.net/d/acadiau.ca/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/acadiau.ca/dnssec/</a><br>
> <br>
> I saw errors at the analyzer like this:<br>
> <br>
> The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no<br>
> RRSIG with algorithm 7 covering the RRset was returned in the response.<br>
> <br>
> I'm not sure if that would be a crippling error to DNS functionality<br>
> if I didn't reverse removal of algo 7 signing, which I've done after seeing<br>
> this.<br>
> <br>
> Can I do removal of algo 7 at one side prior to the<br>
> other (Bind signing vs TLD Registrar side),<br>
> or do we have to try to coordinate this with the TLD<br>
> registrar as closely as possible?<br>
<br>
If you already have the two DS at your parent, the next step is<br>
removing the old DS, then wait, then remove the old KSK (but<br>
still have the old ZSK and old signatures), then wait, then<br>
remove everything from the old algorithm.<br>
<br>
For adding a new DS is the other way around. You first add the<br>
new ZSK + signatures, then the KSK, then the DS at your parent.<br>
<br>
Here's an step by step method, in spanish, but hopefully the<br>
diagrams are self explanatory:<br>
<a href="https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec" rel="noreferrer" target="_blank">https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec</a><br>
<br>
Hugo<br>
<br>
</blockquote></div>