[Yeti DNS Discuss] Report on second lab test of algorithm rollover
songlinjian at gmail.com
Thu Jul 18 01:46:49 UTC 2019
Last month we finished the second lab test on algorithm rollover. We
observed some interesting findings and summarized them briefly in Yeti blog
1) 4 different algo-roll schemes proceeded and rolled smoothly with 3
2) dnssec-signzone and smart signing were used to sign the zone. It was
observed that when old RSA KSK is revoked or deleted, the RSA ZSK will be
used to sign both the zone and DNSKEY records, even when -x option is set.
3) Double-DS rolling scheme(prepublish the new algorithm key without
signing with it ) is testing against the protocol. It was observed that
zone can be signed using dnssec-signzone with -P option, and the resolvers
accept this approach.
4) Two different behaviors were observed between BIND and Unbound resolvers.
5) Algorithm rollover with only KSK works for the resolver in Case 1 (with
-P option) and Case 2. The BIND and Unbound can work with it without change
6) Configuration error was found in old version of PowerDNS when
configuring multiple algorithm KSK.
7)Stand-by Key works fine and can be switched immediately if "incumbent"
key is not available in case of failure.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss