What action to take first with DS algorithm migration?

frank picabia fpicabia at gmail.com
Wed Sep 14 17:07:26 UTC 2022 

That's a good resource.   Thanks, Hugo.



On Wed, Sep 14, 2022 at 1:40 PM Hugo Salgado <hsalgado at nic.cl> wrote:

> On 11:23 14/09, frank picabia wrote:
> > Hi,
> >
> > I'm at the point in DNSSEC algorithm migration
> > where I have two types of keys involved in signing.
> > Both algorithm 7 and 8 are in use.
> >
> > The top level domain registrar also has DS keys set up for both 7 and 8.
> >
> > I need to coordinate pulling out algorithm 7 with the domain registrar so
> > our domain will be running against only algo 8.
> >
> > Should the TLD registrar remove 7 first, or should I remove signing of
> zone
> > with the algo 7 keys before they make their change?
> >
> > I noticed that when I tried removing signing with the algo 7 keys, and
> > checked
> > the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/
> >
> > I saw errors at the analyzer like this:
> >
> > The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no
> > RRSIG with algorithm 7 covering the RRset was returned in the response.
> >
> > I'm not sure if that would be a crippling error to DNS functionality
> > if I didn't reverse removal of algo 7 signing, which I've done after
> seeing
> > this.
> >
> > Can I do removal of algo 7 at one side prior to the
> > other (Bind signing vs TLD Registrar side),
> > or do we have to try to coordinate this with the TLD
> > registrar as closely as possible?
>
> If you already have the two DS at your parent, the next step is
> removing the old DS, then wait, then remove the old KSK (but
> still have the old ZSK and old signatures), then wait, then
> remove everything from the old algorithm.
>
> For adding a new DS is the other way around. You first add the
> new ZSK + signatures, then the KSK, then the DS at your parent.
>
> Here's an step by step method, in spanish, but hopefully the
> diagrams are self explanatory:
>
> https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec
>
> Hugo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220914/fab528a2/attachment-0001.htm>

More information about the bind-users mailing list