Hi, never mind, but I belief that I found an answer to one of my questions in the meantime.
Michael Grimm <[email protected]> wrote: > Viktor Dukhovni <[email protected]> wrote: > >> Also adoption of ECDSA P-256 (algorithm 13) continues to grow, >> and the number of domains using P-256 KSKs has almost reached >> parity with RSA-SHA256 (algorithm 8), which is just ahead for >> now, but likely not for very much longer. > > > My KSK and ZSK are both of algorithm 8 and 2048 bits in size. > > Is it correct to assume that -due to the growing adoption of algorithm 13- > that this algorithm should be preferred? > If so, I would like to migrate. > But, I do have some questions to the community beforehand: > > #) Can one mix KSK and ZSK algorithms? > > (I do have a rollover of my ZSKs due in a couple of days. Thus starting > with ZSKs would be convenient.) https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over https://medium.com/nlnetlabs/algorithm-rollover-in-opendnssec-1-3-bf1dfa480aa7 Both articles suggest that one should change the algorithm on both keys during a simultaneously rollover operation with additional precautions. (Because I am using OpenDNSSEC v2 I will take the second article as a guideline.) > #) Would it be wise to increase from 2048 to 4096 bits size? With kind regards, Michael
