BIND9 DNSSEC algorithm rollover for inline-signed zone
Sebastian Wiesinger
sebastian at karotte.org
Fri Oct 7 16:47:42 UTC 2016
* Mark Andrews <marka at isc.org> [2016-10-06 23:33]:
> > is there a guide for an algorithm rollover with BIND9 for an
> > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > find a good guide for it. I already looked at the ISC DNSSEC Guide but
> > it doesn't seem to cover that the RRSIGs made by the new keys need to
> > be published before the DNSKEYs themselves are published in the zone.
>
> Because there is no such requirement. Just create the keys in the
> new algorithm and let named sign the zone.
>
> The DNSSEC RFC's were written with rules for zone publishers and
> rules for zone validators. These were designed to around the fact
> that the DNS is loosely coherent and that you can't update everything
> simultaneously. That means thay you can expect that you won't find
> signatures for every alorithm in the DNSKEY RRset in the answers.
Thank you for explaining this for me. I was reading RFC6781, which I
now realize is probably outdated in this regard so I was a bit
confused.
> Once named has completed signing the zone with the new algorithm
> and all the slaves have the fully signed zone and the caches have
> expired any RRsets which are only signed with the old algorithm you
> can add DS records for the new algorithm for the zone.
This only applies when I change the DS record, right? I assume that I
can add the new one instantly and remove the old one later when all
caches have expired the old data.
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the bind-users
mailing list