Changing signature algorithms in DNSSEC is a different process than normal key rollovers. OpenDNSSEC currently does not support performing rolls to another algorithm. The only safe way to do it would be to retract your DS record and go insecure for a short while. However, we now worked out a way to do an algorithm rollover with OpenDNSSEC 1.3 while keeping the zone properly signed and without the need to take the signer daemon offline. Service downtime should not be needed.

This entry was posted on Thursday, October 29th, 2015 at 12:55 and is filed under Deployment. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.