What action to take first with DS algorithm migration?
Hugo Salgado
hsalgado at nic.cl
Wed Sep 14 16:40:07 UTC 2022
On 11:23 14/09, frank picabia wrote:
> Hi,
>
> I'm at the point in DNSSEC algorithm migration
> where I have two types of keys involved in signing.
> Both algorithm 7 and 8 are in use.
>
> The top level domain registrar also has DS keys set up for both 7 and 8.
>
> I need to coordinate pulling out algorithm 7 with the domain registrar so
> our domain will be running against only algo 8.
>
> Should the TLD registrar remove 7 first, or should I remove signing of zone
> with the algo 7 keys before they make their change?
>
> I noticed that when I tried removing signing with the algo 7 keys, and
> checked
> the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/
>
> I saw errors at the analyzer like this:
>
> The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no
> RRSIG with algorithm 7 covering the RRset was returned in the response.
>
> I'm not sure if that would be a crippling error to DNS functionality
> if I didn't reverse removal of algo 7 signing, which I've done after seeing
> this.
>
> Can I do removal of algo 7 at one side prior to the
> other (Bind signing vs TLD Registrar side),
> or do we have to try to coordinate this with the TLD
> registrar as closely as possible?
If you already have the two DS at your parent, the next step is
removing the old DS, then wait, then remove the old KSK (but
still have the old ZSK and old signatures), then wait, then
remove everything from the old algorithm.
For adding a new DS is the other way around. You first add the
new ZSK + signatures, then the KSK, then the DS at your parent.
Here's an step by step method, in spanish, but hopefully the
diagrams are self explanatory:
https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec
Hugo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220914/6db112f3/attachment.sig>
More information about the bind-users
mailing list