This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
- Next message (by thread): [dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Anand Buddhdev
anandb at ripe.net
Thu Jun 10 12:04:37 CEST 2021
Dear colleagues, During the RIPE 82 Meeting, we announced that we would soon roll the keys of all our DNSSEC-signed zones to a new algorithm, ECDSAP256SHA256, as recommended by RFC 8624. We are happy to announce that we are now ready to do this. On Tuesday, 15 June 2021, we will start the roll-over of both the Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) of our zones. The process will take several days to complete. We have performed algorithm roll-over previously, when we switched from RSASHA1 to RSASHA256. We wrote a RIPE Labs article about it, wherein we observed the need to perform this roll-over conservatively, in order to accommodate strict validators: https://labs.ripe.net/author/anandb/dnssec-algorithm-roll-over/ Therefore, our Knot DNS signer will use the conservative approach described in section 4.1.4 of RFC 6781. This approach ensures that even strict validators can continue to validate our DNSSEC-signed responses during the roll-over. If you have any questions or concerns, please send an email to dns at ripe.net. Regards, Anand Buddhdev RIPE NCC
- Next message (by thread): [dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]