[Yeti DNS Discuss] 答复: Call for comment: Experiment proposal for Yeti Algorithm Rollover
Davey Song(宋林健)
ljsong at biigroup.cn
Fri Dec 28 04:21:03 UTC 2018
> Also, reading the excellent report
> <https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over>, it
seems
> that some resolvers (that was three years ago) complained when the records
> were not signed with *all* the algorithms listed in the DS record. So,
when the
> new KSK will be accepted as a trust anchor, it may break these resolvers.
In this report there are two caveats:
1)The KSK and ZSK should be rolled at the same time; and
2)he old ZSK cannot be withdrawn until the KSK roll-over is complete.
BTW, in the report RIPE people did not the case of rolling KSK and ZSK
separately. So I'm not sure how they concluded with the first
recommendation.
It is also said later in the conclusion part:
"It is possible to roll the algorithms of the KSK signatures and ZSK
signatures separately, but it involves more work, especially because the DS
records have to be updated more than once."
Given there is no parent for root, the DS issue may not exists, I think.
Davey
More information about the discuss
mailing list