On Tue, Dec 17, 2024 at 4:03 PM Peter Thomassen <pe...@desec.io> wrote:
> Hi Shumon, > > On 12/17/24 21:51, Shumon Huque wrote: > > We probably need to know some more details about what exactly is > changing. > > Do we have any contacts at .FI that can provide them? > > According to a statement sent to their registrars, they are moving from > algorithm 8 to 13. > Thanks! > I agree a contact would be useful. > > > If they are also moving to a new provider/platform as part of the > algorithm > > change, then the situation may be more complicated. They'd need to do > > an algorithm rollover and a multi-signer transition > > I don't think that is the case. > > It's true that changing the algorithm at the same time as a platform > change might not be easy. However, if both platform and algorithm are > changing, there's no need to change them at the same time. > Agreed, that's why I was asking for more details! :) When done separately, it seems one can first move to the new platform (if > needed, using an additional RSA key). As both algorithms are MUST > implement, the new platform is then expected to support both algorithm 8 > and 13 for a subsequent algorithm rollover. > Yup, but moving to the new platform using the same algorithm non-disruptively still requires some specific features to be supported (multi-signer ZSK import - I assume that's what you mean by "additional RSA key") and it's possible these features may be lacking in some platforms. You could deploy a totally new keypair at the new party without cross sharing, but that introduces intermittent validation failures and possible complete failures for resolvers that don't robustly retry queries. Shumon
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
