In message <20161006205713.ga1...@danton.fire-world.de>, Sebastian Wiesinger wr ites: > Hello, > > is there a guide for an algorithm rollover with BIND9 for an > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to > find a good guide for it. I already looked at the ISC DNSSEC Guide but > it doesn't seem to cover that the RRSIGs made by the new keys need to > be published before the DNSKEYs themselves are published in the zone.
Because there is no such requirement. Just create the keys in the new algorithm and let named sign the zone. The DNSSEC RFC's were written with rules for zone publishers and rules for zone validators. These were designed to around the fact that the DNS is loosely coherent and that you can't update everything simultaneously. That means thay you can expect that you won't find signatures for every alorithm in the DNSKEY RRset in the answers. One DNSSEC vendor tried to check that there were signatures for every algorithm in the DNSKEY RRset but was told they were wrong to do so. That was a rule for zone publishers not validators. That vendor has since fixed their code. Named behaves as if it is a loosely coherent anycast cluster when it is signing a zone for the first time with a given algorithm. This means you will see answers without signatures for all of the algorithms while it is is the process of signing the zone with a algorithm for the first time. Once named has completed signing the zone with the new algorithm and all the slaves have the fully signed zone and the caches have expired any RRsets which are only signed with the old algorithm you can add DS records for the new algorithm for the zone. Mark > Regards > > Sebastian > > -- > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYT > HE. > -- Terry Pratchett, The Fifth Elephant > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
