Hi Daniel! Thanks for the info.
> -----Ursprüngliche Nachricht----- > Von: Daniel Stirnimann <daniel.stirnim...@switch.ch> > Gesendet: Montag, 3. Mai 2021 11:27 > An: Klaus Darilion <klaus.daril...@nic.at>; Pdns- > us...@mailman.powerdns.com > Betreff: Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation > > Hello Klaus, > > The DNSSEC Operational Practices (RFC 6781) documents this in chapter > 4.1.4 Algorithm Rollovers: > https://tools.ietf.org/html/rfc6781#section-4.1.4 > > The document mentions both a conservative and a liberal approach. You > can follow the liberal approach as by now all software handle this case > correctly. The question is - are all ISPs using the new software versions that support the liberal approach? > It has even been done by TLDs. That's a good indicator. > Tony Finch has also documented how to do an algorithm rollover, > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html I am not sure - Is this the conservative or liberal approach? I would think this is not conservative as the new DNSKEYs are published together with the new RRSIGs. Further, in the liberal approach, it is necessary that KSK and ZSK algorithm rollover must be done at the same time, or may it be allowed to just introduce a KSK with new algorithm and still use the old ZSK? thanks Klaus _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
