Hi,
I'm planning a dnssec algorithm rollover for a couple of my zones.
RFC6781 suggests an approach in section 4.1.4 that involves first
signing the zone with a ZSK of the new algorithm, and only when all
previous RRSIGs have expired to introduce the ZSK and KSK to the
DNSKEY RRset.
I started experimenting with bind 9.9's inline signing feature, and
noticed that currently (9.9.4) one cannot sign with a key without also
publishing it. When I tried to bring this up with ISC, the initial
response was that the RFC is overly conservative and only broken
resolvers require this kind of staged introduction of a new algorithm.
Are there any guesstimates or even hard data what percentage of
resolvers, if any, will consider zones bogus if the algorithm rollover
is handled in the more liberal style as a regular double-signature KSK
rollover?
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
