Algorithm rollover
This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3. However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3. As a result I would like change algorithm. I am using my families domain rather than a /live/ domain for testing which would seem to give me one of two options. 1) delete the keys that have been published including the .ca (? forgotten tech term), publish new keys for the site and wait for the dust to settle. As the site is small, not heavily used and does not support anything critical this may be the simplest solution. Problem, I don't learn anything! 2) generate new keys, publish them as new for rollover at all levels including TLD (?), on the date the current keys become inactive (or new keys become active) resign the domain. I am not sure that 2 is correct, and additionally I am not sure that I want to take the delay. ?
On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
Note, this list does not have very many subscribers as yet (just 20 at present), and it seems you're posting from a different addres than the one you subscribed with (you've left off the address extension) so the list moderators have to manually release your posts.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3.
Yes, algorithm 7 vs algorithm 8.
As a result I would like change algorithm.
Note that, for example, the .org zone is also using algorithm 7. You're in good company.
- delete the keys that have been published including the .ca (? forgotten
tech term), publish new keys for the site and wait for the dust to settle.
The correct way to do algorithm rollover in DNSSEC is:
* First include additional keys in your zone (publish DNSKEY records at the zone apex for both algorithm 7 and 8).
* Wait a few TTLs after all the secondary nameservers also have the new keys.
* Publish additional DS records matching the algorithm 8 KSK via your registrar.
* Wait a couple of parent zone TTLs.
* Delete the algorithm 7 DS RRs.
* Wait a few more parent zone TTLs.
* Delete the algorithm 7 DNSKEY records from the zone apex.
The important invariant here is that all times each DS record from the parent zone unexpired in any resolvers cache or served by the parent zone must match some DNSKEY at the zone apex unexpired in that resolvers cache or served by the zone's nameservers.
On 1/12/2015 10:48 AM, Viktor Dukhovni wrote:
On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
Note, this list does not have very many subscribers as yet (just 20 at present), and it seems you're posting from a different addres than the one you subscribed with (you've left off the address extension) so the list moderators have to manually release your posts.
That's what comes of trying to be cute. I was trying to make life easier for myself and avoid having create a filter.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3.
Yes, algorithm 7 vs algorithm 8.
As a result I would like change algorithm.
Note that, for example, the .org zone is also using algorithm 7. You're in good company.
- delete the keys that have been published including the .ca (? forgotten
tech term), publish new keys for the site and wait for the dust to settle.
The correct way to do algorithm rollover in DNSSEC is:
* First include additional keys in your zone (publish DNSKEY records at the zone apex for both algorithm 7 and 8). * Wait a few TTLs after all the secondary nameservers also have the new keys. * Publish additional DS records matching the algorithm 8 KSK via your registrar. * Wait a couple of parent zone TTLs. * Delete the algorithm 7 DS RRs. * Wait a few more parent zone TTLs. * Delete the algorithm 7 DNSKEY records from the zone apex.
The important invariant here is that all times each DS record from the parent zone unexpired in any resolvers cache or served by the parent zone must match some DNSKEY at the zone apex unexpired in that resolvers cache or served by the zone's nameservers.
Which is what I thought.
On 1/12/2015 3:28 PM, John wrote:
On 1/12/2015 10:48 AM, Viktor Dukhovni wrote:
On Mon, Jan 12, 2015 at 09:29:59AM -0500, John wrote:
This may be the wrong mailing list but I cannot find another concerning DNSSEC general.
Note, this list does not have very many subscribers as yet (just 20 at present), and it seems you're posting from a different addres than the one you subscribed with (you've left off the address extension) so the list moderators have to manually release your posts.
That's what comes of trying to be cute. I was trying to make life easier for myself and avoid having create a filter.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the RSASHA256... can also be used with NSEC3.
Yes, algorithm 7 vs algorithm 8.
As a result I would like change algorithm.
Note that, for example, the .org zone is also using algorithm 7. You're in good company.
- delete the keys that have been published including the .ca (?
forgotten tech term), publish new keys for the site and wait for the dust to settle.
The correct way to do algorithm rollover in DNSSEC is:
* First include additional keys in your zone (publish DNSKEY records at the zone apex for both algorithm 7 and 8). * Wait a few TTLs after all the secondary nameservers also have the new keys. * Publish additional DS records matching the algorithm 8 KSK via your registrar. * Wait a couple of parent zone TTLs. * Delete the algorithm 7 DS RRs. * Wait a few more parent zone TTLs. * Delete the algorithm 7 DNSKEY records from the zone apex.
The important invariant here is that all times each DS record from the parent zone unexpired in any resolvers cache or served by the parent zone must match some DNSKEY at the zone apex unexpired in that resolvers cache or served by the zone's nameservers.
Which is what I thought.
Well I tied it .........!/!!/*** I don't know what I did wrong but at some point the algorithm 8 KSK became a ZSK and things went downhill from there real fast. In the end I decided that I had lost control and that as nobody could be relying on my DNSSEC info that a tear-down and rebuild was required.
I obviously screwed up, as I said I am not sure the what, when or how! My only advice to anybody thinking of doing this is be very cautious. I would suggest setting up a test server (if you have the resources) and working upon that. Then once everything looks OK switch it to live.
participants (2)
-
John
-
Viktor Dukhovni