Re: Mixing Algorithms for DNSSEC

Sat, 15 Oct 2011 12:43:44 -0700 

On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
> 
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <m...@posix.co.za> wrote:
>         Basically - create a KSK and ZSK with RSASHA1 - Sign - and
>         visibly check
>         the results.
>         Add a new KSK using RSASHA256 - prep the zone and sign again.
>         1 - Signer is confused???? - can not sign (or generate a new
>         Signed
>         Zone)...
>                Verifying the zone using the following algorithms:
>         RSASHA1.
>                Missing self signing KSK for algorithm RSASHA256
>                The zone is not fully signed for the following
>         algorithms:
>                RSASHA256.
>                dnssec-signzone: fatal: DNSSEC completeness test
>         failed.
>         
> 
> When you include DNSKEYS with multiple algorithms, both the DNSKEY
> RRset and other RRsets in the zone must be signed with each algorithm
> [1].  Because you designed your RSASHA256 DNSKEY as a KSK,
> dnssec-signzone is only using it to sign the DNSKEY RRset, not other
> RRsets.  To resolve this, create a ZSK with algorithm RSASHA256 to
> your zone.

Thanks.

So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every month) - making any existing
ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
further month.

FUBAR!

And Algorithms have a tendency to be updated reasonably frequently...
every 2 to 5 years! 

That is not very friendly from a migration point of view. It would
probably be easier to first completely remove DNSSEC from a Zone then
re-install it from scratch with the new algorithms. I'm still playing
(after two years) - I don't mind. Others???? :-(

> 
> Regards,
> Casey
> 
> [1] See http://tools.ietf.org/html/rfc4035 - section 2.2
> 

-- 
Mark Elkins <m...@posix.co.za>
Posix Systems

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to