[Yeti DNS Discuss] Call for comment: Experiment proposal for Yeti Algorithm Rollover
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Dec 27 16:45:40 UTC 2018
On Wed, Dec 26, 2018 at 03:35:01PM +0800,
Davey Song <ljsong at biigroup.cn> wrote
a message of 147 lines which said:
> After some investigation of Algorithm rollover, and existing practice in
> cctld (.se and .br). I proposed an algorithm rollover experiment plan for
> Yeti.
>
> https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-AlgRoll.md
> The reasons of only rolling KSK is that some people suggested that
> some resolver may not tolerate a KSK and a ZSK using different
> algorithms in the same zone (notably PowerDNS).
This sentence is unclear. If some resolvers cannot tolerate a KSK and
a ZSK with different algorithms, it seems to imply the opposite: we
need to change the algorithm of the ZSK as well.
Also, reading the excellent report
<https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over>, it
seems that some resolvers (that was three years ago) complained when
the records were not signed with *all* the algorithms listed in the DS
record. So, when the new KSK will be accepted as a trust anchor, it
may break these resolvers.
More information about the discuss
mailing list