This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3. However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3. As a result I would like change algorithm. I am using my families domain rather than a /live/ domain for testing which would seem to give me one of two options. 1) delete the keys that have been published including the .ca (? forgotten tech term), publish new keys for the site and wait for the dust to settle. As the site is small, not heavily used and does not support anything critical this may be the simplest solution. Problem, I don't learn anything! 2) generate new keys, publish them as new for rollover at all levels including TLD (?), on the date the current keys become inactive (or new keys become active) resign the domain. I am not sure that 2 is correct, and additionally I am not sure that I want to take the delay. ?