[Yeti DNS Discuss] Report on second lab test of algorithm rollover

Davey Song songlinjian at gmail.com
Thu Jul 18 01:46:49 UTC 2019

Hi folks,

Last month we finished the second lab test on algorithm rollover. We
observed some interesting findings and summarized them briefly in Yeti blog


some points:
1) 4 different algo-roll schemes proceeded and rolled smoothly with 3
typical resolver.
2) dnssec-signzone and smart signing were used to sign the zone. It was
observed that when old RSA KSK is revoked or deleted, the RSA ZSK will be
used to sign both the zone and DNSKEY records, even when -x option is set.
3) Double-DS rolling scheme(prepublish the new algorithm key without
signing with it ) is testing against the protocol. It was observed that
 zone can be signed using dnssec-signzone with -P option, and the resolvers
accept this approach.
4) Two different behaviors were observed between BIND and Unbound resolvers.
5) Algorithm rollover with only KSK works for the resolver in Case 1 (with
-P option) and Case 2. The BIND and Unbound can work with it without change
on ZSK.
6) Configuration error was found in old version of PowerDNS when
configuring multiple algorithm KSK.
7)Stand-by Key works fine and can be switched immediately if "incumbent"
key is not available in case of failure.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20190718/f1bd3ce6/attachment.htm>

More information about the discuss mailing list