[Yeti DNS Discuss] 答复: Call for comment: Experiment proposal for Yeti Algorithm Rollover
ljsong at biigroup.cn
Fri Dec 28 04:21:03 UTC 2018
> Also, reading the excellent report
> <https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over>, it
> that some resolvers (that was three years ago) complained when the records
> were not signed with *all* the algorithms listed in the DS record. So,
> new KSK will be accepted as a trust anchor, it may break these resolvers.
In this report there are two caveats:
1)The KSK and ZSK should be rolled at the same time; and
2)he old ZSK cannot be withdrawn until the KSK roll-over is complete.
BTW, in the report RIPE people did not the case of rolling KSK and ZSK
separately. So I'm not sure how they concluded with the first
It is also said later in the conclusion part:
"It is possible to roll the algorithms of the KSK signatures and ZSK
signatures separately, but it involves more work, especially because the DS
records have to be updated more than once."
Given there is no parent for root, the DS issue may not exists, I think.
More information about the discuss