Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
I run a small ISP in South Africa - with about 2000 domains. About 200 of these are DNSSEC signed. I'm in the process of migrating them from algo 8 to algo 13. Its all scripted and the conversions are all happening automatically. The KSK-ZSK chain has to be complete through with at least one common Algorithm. I also don't want to re-sign everything at the same time - so everything is spread out over a year. I keep KSK's for a year and ZSK's for a month.Hi Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:Also adoption of ECDSA P-256 (algorithm 13) continues to grow, and the number of domains using P-256 KSKs has almost reached parity with RSA-SHA256 (algorithm 8), which is just ahead for now, but likely not for very much longer.
When a KSK is due to roll, create both a Algo-13 KSK and ZSK. iUpload the appropriate DS. Once the new DS record is "seen" (and give it another day) - then delete the old DS, KSK and ZSK.
The KSK and ZSK signatures are much shorter - so you are less lightly to be used as a DDOS source for a DNS Denial of service attack (the amplification is way lower).
You don't need to increase the Key Size.
My KSK and ZSK are both of algorithm 8 and 2048 bits in size. Is it correct to assume that -due to the growing adoption of algorithm 13- that this algorithm should be preferred? If so, I would like to migrate. But, I do have some questions to the community beforehand: #) Can one mix KSK and ZSK algorithms? (I do have a rollover of my ZSKs due in a couple of days. Thus starting with ZSKs would be convenient.) #) Would it be wise to increase from 2048 to 4096 bits size? Thanks in advance and with kind regards, Michael
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za