OpenDNSSEC Documentation
Space shortcuts
OpenDNSSEC Project Wiki

Links

OpenDNSSEC Developer Wiki
OpenDNSSEC Documentation
SoftHSM Developer Wiki
SoftHSM Documentation

OpenDNSSEC Home

All Versions

OpenDNSSEC v2.0
OpenDNSSEC v1.4
OpenDNSSEC v1.3
OpenDNSSEC v1.2.0
OpenDNSSEC v1.1.1
OpenDNSSEC v1.1.0
OpenDNSSEC v1.0.0

 

Current location:

OpenDNSSEC Documentation 1.4

Child pages
  • Algorithm Rollover in OpenDNSSEC 1.3

Versions Compared

Old Version 10

changes.mady.by.user Yuri Schaeffer

Saved on

compared with

New Version Current

changes.mady.by.user Benno Overeinder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
Erratum: Unfortunately it appears that this method does not work for OpenDNSSEC 1.4.x. It still works for 1.3.x, specifically 1.3.18 is tested (thanks Michał Kępień!).

 The current version of OpenDNSSEC is unable to perform an algorithm rollover. Blindly changing the KSK and ZSK algorithm in the kasp.xml will result in a bogus zone. The only option to do it securely is to go unsigned: Remove DS, wait, publish unsigned zone, and then start signing with the new algorithm. This is undesirable.

...