On Tue, May 12, 2026 at 04:31:22PM +0200, Libor Peltan wrote: > Hi Cathy, > > it is slightly puzzling me that one RFC (6781) encourages "loose > interpretation" (in fact, violation) of another RFC (4035). > > I'd stick with what is called the "conservative approach" , until > draft-huque-dnsop-multi-alg-rules makes it to RFC (I wish!). > > Libor > > On 12. 05. 26 11:27, Cathy Zhang wrote: > > Hi all, > > RFC 6781 defines two modes for algorithm rollover: the conservative > > approach and the liberal approach. > > And the relevant description is given on page 29 of RFC 6781 as follows: > > However, there are implementations of validators known to follow the > > more conservative approach. Performing a Double-Signature KSK > > algorithm rollover will temporarily make your zone appear as Bogus by > > such validators during the rollover. Therefore, the rollover > > described in this section will explain the stages of deployment and > > will assume that the conservative approach is used. > > Is this distinction still necessary today, or is it possible to > adopt the same approach as for ZSK/KSK rollover?
Since at least 2017 many TLDs have done algroll using the liberal approach. The presentations bellow illustrate our journey on how to do it safely. The first one has the root of the question based on the events that happened in Jan/2011. https://indico.dns-oarc.net/event/28/contributions/513/attachments/487/794/algorith-rollover-approach.pdf https://icann-hamster.nl/ham/soac/ssac/dnssec/icann62/br%20DNSSEC.pdf To answer your question in our experience today you could follow the liberal approach quite safely. > > BR, > > Cathy Fred _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
