Dear colleagues,
Rolling over the algorithm (usually to a stronger variant) used to sign
a DNS zone isn't as easy as regular key roll-overs. This is because some
DNSSEC validators are less forgiving than others, and fail validation
unless the right combination of keys and signatures is present in a zone.
This new article on RIPE Labs describes our experiences with DNSSEC
algorithm roll-over:
https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over
We hope that our experience will help others who may be considering
doing this.
Kind regards,
Mirjam Kuehne
RIPE NCC
