* Tony Finch <d...@dotat.at> [2016-10-10 12:36]: > I thought the algorithm rollover process is required to be: introduce new > ZSK and KSK and sign the zone; wait for old records to expire; flip the DS > from old to new; wait for old DS to expire; delete old ZSK and KSK and > RRSIGs. A double-DS algorithm rollover will cause your zone to go bogus.
I did the "double DS" approach, first publish new KSK/ZSK, wait for Zone TTLs, then a second DS was introduced. The zone looked like this: http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/ After the DS TTL expired I removed the old DS, so the zone now looks like this: http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/ Last step will be after DS TTL expires (again) removing the old KSK and ZSK. It seems to work. After doing this I discovered that the .tz TLD did it the same way: https://singapore52.icann.org/en/schedule/mon-tech/presentation-ksk-algorithm-09feb15-en.pdf Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
