On 1/17/2015 11:11 AM, Carsten Strotmann wrote:
doing an DNSSEC algorithm rollover is not simple. To my knowledge there is currently not software support for algorithm rollovers. Therefor it is important to choose a good algorithm in the beginning.
Choosing an algorithm is probable one of the more important decision to be made in the planning stage. I think my mistake was choosing the "wrong" algorithm. Overall under estimating the complexity of implementing DNSSEC and over confidence in my ability to implement it were my biggest problems. Fortunately I started with my lab rat DNS, and the only people affected were family and some friends.
RFC 6781, 4.1.4 describes the steps for such a rollover in detail (I mention this here for admins that want to start an algorithm rollover and come across this post): https://tools.ietf.org/html/rfc6781
Yep, I read this camel of a document.
The Czech TLD registry did an algorithm rollover in 2010 and documented their findings -> http://www.ripe.net/ripe/meetings/regional-meetings/moscow-2010/DNSSEC201010...
I totally agree with them - plan , plan - rehearse rehearse rehearse.