On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
Note, this list does not have very many subscribers as yet (just 20 at present), and it seems you're posting from a different addres than the one you subscribed with (you've left off the address extension) so the list moderators have to manually release your posts.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3.
Yes, algorithm 7 vs algorithm 8.
As a result I would like change algorithm.
Note that, for example, the .org zone is also using algorithm 7. You're in good company.
- delete the keys that have been published including the .ca (? forgotten
tech term), publish new keys for the site and wait for the dust to settle.
The correct way to do algorithm rollover in DNSSEC is:
* First include additional keys in your zone (publish DNSKEY records at the zone apex for both algorithm 7 and 8).
* Wait a few TTLs after all the secondary nameservers also have the new keys.
* Publish additional DS records matching the algorithm 8 KSK via your registrar.
* Wait a couple of parent zone TTLs.
* Delete the algorithm 7 DS RRs.
* Wait a few more parent zone TTLs.
* Delete the algorithm 7 DNSKEY records from the zone apex.
The important invariant here is that all times each DS record from the parent zone unexpired in any resolvers cache or served by the parent zone must match some DNSKEY at the zone apex unexpired in that resolvers cache or served by the zone's nameservers.