On Fri, Mar 06, 2020 at 05:33:42PM +0100, Peter van Dijk wrote:
On Thu, 2020-01-09 at 20:19 -0500, Viktor Dukhovni wrote:
If/when you do decide to switch algorithms, please perform the migration with care. Algorithm rollovers can be tricky. The basic process is:
1. Publish and activate a ZSK for the new algorithm. Your zone should now be double-signed, which each record having two RRSIGs. Don't forget to bump the SOA.Your zone is now bogus.
No it is not. The zone is signed with two ZSKs, one for each algorithm. The idea is sign the zone *at the same time* as the ZSK is introduced, not add the ZSK and sign later.
The reason for all this is to maintain the followin invariants:
A. Each algorithm mentioned in the parent zone DS RRset must have a matching KSK in the zone's DNSKEY RRset. B. Each KSK algorithm appearing in the zone's DNSKEY RRset must have a corresponding ZSK signature for each record in the zone.You are missing:
C. Each algorithm for which a DNSKEY exists, must sign all the records in the zone.
And the invariant holds, because it is signed with ZSKs for both algorithms.
Because of caching, step 1 potentially breaks this invariant.
https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at length (with better wording than I used), and appears to get it right.