Transitioning to new algorithm for DNSSEC

[frank picabia]

Hi,

I've been running a Bind set up with DNSSEC for many years.
It was done following the guide at the digitalocean site.

What I don't find in a nice guide, is how to change your algorithm
to a more current one, and seamlessly make your domain
run under this new chain of data.

I tried it on my own estimates of what would be required, and
it seemed to be poisoned by dropping mention of the prior
keys files in my DNS while the Internet's cached info
on our DS is still out there.  Whatever has happened,
I've got a running domain again, but there is an angry diagram
being drawn at https://dnsviz.net/ when my domain (which
will remain nameless) is analyzed.

With DNS it is always hard to tell what is going on NOW due
to caching, and breakage works this way as well.

Is there a guide on transitioning the DNSSEC signing algorithm,
or is ISC support the best way to handle this
and avoid the risk of total DNS calamity?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220505/4d4f4f95/attachment.htm>