[Yeti DNS Discuss] 答复: Call for comment: Experiment proposal for Yeti Algorithm Rollover

Davey Song(宋林健) ljsong at biigroup.cn
Wed Dec 26 08:29:43 UTC 2018

There may be some issues when pre-publish the new keys without the new
signature, I think.




发件人: Davey Song(宋林健) [mailto:ljsong at biigroup.cn] 
发送时间: 2018年12月26日 16:02
收件人: 'Davey Song(宋林健)'; discuss at lists.yeti-dns.org
主题: 答复: [Yeti DNS Discuss] Call for comment: Experiment proposal for
Yeti Algorithm Rollover


In case people hate links in the mail, I post the methodology of our
approach  which explains why we choose the approach.


# Methodology


Different from the conservative approach proposed in section of
RFC6781, Yeti Algorithm Rollover is similar with the prior Yeti KSK
rollover, **adopting a liberal approach and only rolling KSK with Double-DS
rollover**. It is explained why we choose this approach as follows:


* The reasons of choosing liberal approach are twofold: 1) Algorithm
rollover in .SE shows that conservative algorithm rollover is not necessary
(only 6 out of 10000 failed). 2)Yeti algorithm rollover is deliberately
design to expose more possible failures.


* The reasons of only rolling KSK is that some people suggested that some
resolver may not tolerate a KSK and a ZSK using different algorithms in the
same zone (notably PowerDNS). We need to investigate this with more details.


* The reason of choosing Double-DS KSK rollover method lies in that 1) it is
our prior Yeti KSK rollover approach and, 2) our deliberate violation of
saying in section 4.1.4 of RFC6781. We think it does not apply in Algorithm
rollover for root because Root has no parents.


>"Note that the Double-DS KSK rollover method cannot be used, since

   that would introduce a parental DS of which the apex DNSKEY RRset has

   not been signed with the introduced algorithm."--section 4.1.4 of RFC6781




发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Davey
发送时间: 2018年12月26日 15:35
收件人: discuss at lists.yeti-dns.org
主题: [Yeti DNS Discuss] Call for comment: Experiment proposal for Yeti
Algorithm Rollover


Hi colleagues, 


After some investigation of Algorithm rollover, and existing practice in
cctld (.se and .br). I proposed an algorithm rollover experiment plan for




In short, the first Yeti algorithm roll will follow the exact steps and
timeline to the prior yeti ksk roll. The only difference is the new key will
use ECDSA p-256. I explain why I choose this approach in github document. I
also would like to hear from you for comments and suggestions.


If no major changes on this draft proposal, I will test it in BII lab first,
then I will proposed it to be tested in Yeti testbed in 2019.


Best regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20181226/06a4ca7c/attachment-0001.html>

More information about the discuss mailing list