This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
- Previous message (by thread): [dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
- Next message (by thread): [dns-wg] New on RIPE Labs: Fragmentation, Truncation, and Timeouts - Are Large DNS Messages Falling to Bits?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul de Weerd
pdeweerd+dnswg at ripe.net
Wed Jun 30 12:55:50 CEST 2021
Dear colleagues, We are happy to inform you that the algorithm roll for all our DNSSEC-signed zones to ECDSAP256SHA256 as described by Anand earlier this month has completed successfully, with the last zone (e164.arpa) finishing its roll yesterday (29 June). During the roll, we have not observed any problems or noticed any incidents, so we believe the roll was transparent for all validating resolvers that support both the old (8) and new (13) algorithms. If you have any questions, please send an email to dns at ripe.net. Best regards, Paul de Weerd RIPE NCC On 2021-06-10 12:04 , Anand Buddhdev wrote: > Dear colleagues, > > During the RIPE 82 Meeting, we announced that we would soon roll the > keys of all our DNSSEC-signed zones to a new algorithm, ECDSAP256SHA256, > as recommended by RFC 8624. > > We are happy to announce that we are now ready to do this. On Tuesday, > 15 June 2021, we will start the roll-over of both the Key Signing Keys > (KSKs) and Zone Signing Keys (ZSKs) of our zones. The process will take > several days to complete. > > We have performed algorithm roll-over previously, when we switched from > RSASHA1 to RSASHA256. We wrote a RIPE Labs article about it, wherein we > observed the need to perform this roll-over conservatively, in order to > accommodate strict validators: > https://labs.ripe.net/author/anandb/dnssec-algorithm-roll-over/ > > Therefore, our Knot DNS signer will use the conservative approach > described in section 4.1.4 of RFC 6781. This approach ensures that even > strict validators can continue to validate our DNSSEC-signed responses > during the roll-over. > > If you have any questions or concerns, please send an email to dns at ripe.net. > > Regards, > Anand Buddhdev > RIPE NCC > >
- Previous message (by thread): [dns-wg] DNSSEC algorithm roll-over of all RIPE NCC zones
- Next message (by thread): [dns-wg] New on RIPE Labs: Fragmentation, Truncation, and Timeouts - Are Large DNS Messages Falling to Bits?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]