Dear colleagues, During the RIPE 82 Meeting, we announced that we would soon roll the keys of all our DNSSEC-signed zones to a new algorithm, ECDSAP256SHA256, as recommended by RFC 8624.
We are happy to announce that we are now ready to do this. On Tuesday, 15 June 2021, we will start the roll-over of both the Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) of our zones. The process will take several days to complete. We have performed algorithm roll-over previously, when we switched from RSASHA1 to RSASHA256. We wrote a RIPE Labs article about it, wherein we observed the need to perform this roll-over conservatively, in order to accommodate strict validators: https://labs.ripe.net/author/anandb/dnssec-algorithm-roll-over/ Therefore, our Knot DNS signer will use the conservative approach described in section 4.1.4 of RFC 6781. This approach ensures that even strict validators can continue to validate our DNSSEC-signed responses during the roll-over. If you have any questions or concerns, please send an email to [email protected]. Regards, Anand Buddhdev RIPE NCC
