[Yeti DNS Discuss] Report on second lab test of algorithm rollover

Davey Song songlinjian at gmail.com
Fri Jul 19 00:51:19 UTC 2019

FYI, There is a Yeti gathering & Bar meeting next Monday monring in
Montreal IETF venue. Anyone who would like to join this gathering please
contact me or Andrew Li (zli at biigroup.com) for more details to follow.


On Thu, 18 Jul 2019 at 09:46, Davey Song <songlinjian at gmail.com> wrote:

> Hi folks,
> Last month we finished the second lab test on algorithm rollover. We
> observed some interesting findings and summarized them briefly in Yeti blog
> post.
> https://yeti-dns.org/yeti/blog/2019/06/25/test-result-of-second-algorithm-roll.html
> some points:
> 1) 4 different algo-roll schemes proceeded and rolled smoothly with 3
> typical resolver.
> 2) dnssec-signzone and smart signing were used to sign the zone. It was
> observed that when old RSA KSK is revoked or deleted, the RSA ZSK will be
> used to sign both the zone and DNSKEY records, even when -x option is set.
> 3) Double-DS rolling scheme(prepublish the new algorithm key without
> signing with it ) is testing against the protocol. It was observed that
>  zone can be signed using dnssec-signzone with -P option, and the resolvers
> accept this approach.
> 4) Two different behaviors were observed between BIND and Unbound
> resolvers.
> 5) Algorithm rollover with only KSK works for the resolver in Case 1 (with
> -P option) and Case 2. The BIND and Unbound can work with it without change
> on ZSK.
> 6) Configuration error was found in old version of PowerDNS when
> configuring multiple algorithm KSK.
> 7)Stand-by Key works fine and can be switched immediately if "incumbent"
> key is not available in case of failure.
> Best regards,
> Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20190719/b7b5e298/attachment.htm>

More information about the discuss mailing list