We have a developer at Akamai who is now working on allowing for DNSSEC algorithm changes without having the customer set their zone to unsigned. We plan to use the liberal approach described by RFC 6781.
Our core question is what validating resolvers, if any, the liberal approach is known to vex. RFC 6781 (DNSSEC Operational Practices, Version 2, December 2012, Informational) section 4.1.4 describes two approaches to such a rotation, a conservative approach, and a liberal approach. The reasons it cites for these differing approaches is that RFC 4035 is not completely clear on a particular requirement. RFC 6840 (DNSSEC Implementation Notes, February 2013, Standards Track) section 5.11 clarifies the ambiguous portion of RFC 4035. This clarification makes it such that the conservative approach is unnecessary, and the liberal approach would work fine. Our current plan is to use the liberal approach, as it only requires two transitions, rather than four, and would be much easier to implement. RFC 6840 has been published for several years, and while RFC 6781 mentions that some validators may fail with the liberal approach, it doesn't mention what validators those are, and it's not clear whether those problematic validators have meaningful market share. Thoughts?
