On Fri, Mar 06, 2020 at 05:33:42PM +0100, Peter van Dijk wrote: > On Thu, 2020-01-09 at 20:19 -0500, Viktor Dukhovni wrote: > > If/when you do decide to switch algorithms, please perform the migration > > with care. Algorithm rollovers can be tricky. The basic process is: > > > > 1. Publish and activate a ZSK for the new algorithm. Your zone > > should now be double-signed, which each record having two > > RRSIGs. Don't forget to bump the SOA. > > Your zone is now bogus.
No it is not. The zone is signed with two ZSKs, one for each algorithm. The idea is sign the zone *at the same time* as the ZSK is introduced, not add the ZSK and sign later. > > The reason for all this is to maintain the followin invariants: > > > > A. Each algorithm mentioned in the parent zone DS RRset must > > have a matching KSK in the zone's DNSKEY RRset. > > > > B. Each KSK algorithm appearing in the zone's DNSKEY RRset > > must have a corresponding ZSK signature for each record > > in the zone. > > You are missing: > > C. Each algorithm for which a DNSKEY exists, must sign all the records > in the zone. And the invariant holds, because it is signed with ZSKs for both algorithms. > Because of caching, step 1 potentially breaks this invariant. > > https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at > length (with better wording than I used), and appears to get it right. -- VIktor.
