BIND9 DNSSEC algorithm rollover for inline-signed zone
Sebastian Wiesinger
sebastian at karotte.org
Mon Oct 10 11:51:46 UTC 2016
* Tony Finch <dot at dotat.at> [2016-10-10 12:36]:
> I thought the algorithm rollover process is required to be: introduce new
> ZSK and KSK and sign the zone; wait for old records to expire; flip the DS
> from old to new; wait for old DS to expire; delete old ZSK and KSK and
> RRSIGs. A double-DS algorithm rollover will cause your zone to go bogus.
I did the "double DS" approach, first publish new KSK/ZSK, wait for
Zone TTLs, then a second DS was introduced. The zone looked like this:
http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/
After the DS TTL expired I removed the old DS, so the zone now looks
like this:
http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/
Last step will be after DS TTL expires (again) removing the old KSK
and ZSK.
It seems to work. After doing this I discovered that the .tz TLD did
it the same way:
https://singapore52.icann.org/en/schedule/mon-tech/presentation-ksk-algorithm-09feb15-en.pdf
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the bind-users
mailing list