On Mon, Feb 01, 2021 at 12:09:38PM +0000, pat...@patpro.net wrote: > It's a risk I can take if I'm stuck but I'm willing to try the dual-sign > method.
I should mention that given the humongous sizes of your current signatures, dual signing will make things noticeably worse in the meantime, unless you FIRST reduce your key sizes without changing algorithms. Therefore: 1. Roll over to a 1280 bit ZSK. Introduce it into the DNSKEY RRset inactive, with an activation time equal to the inactivation time of the previous 4096 bit ZSK. 2. Wait a couple of TTLs and drop the now inactive old ZSK entirely. 3. Introduce a new 2048-bit KSK, that is immediately active, signing the DNSKEY RRset. You can also immediately publish the associated DS RR along side the current DS KSK RR. 4. Wait a couple of TTLs of the parent .net zone. 5. Drop the old DS RR and the old KSK. Only then do an algorithm rollover to P256. This is quite a bit of work (though BIND 9.16 might just automate most of this for you). I'll not think less of you if you decide to go unsigned for a couple of days. -- Viktor.