Dear colleagues, We are happy to inform you that the algorithm roll for all our DNSSEC-signed zones to ECDSAP256SHA256 as described by Anand earlier this month has completed successfully, with the last zone (e164.arpa) finishing its roll yesterday (29 June). During the roll, we have not observed any problems or noticed any incidents, so we believe the roll was transparent for all validating resolvers that support both the old (8) and new (13) algorithms. If you have any questions, please send an email to dns@ripe.net. Best regards, Paul de Weerd RIPE NCC On 2021-06-10 12:04 , Anand Buddhdev wrote:
Dear colleagues,
During the RIPE 82 Meeting, we announced that we would soon roll the keys of all our DNSSEC-signed zones to a new algorithm, ECDSAP256SHA256, as recommended by RFC 8624.
We are happy to announce that we are now ready to do this. On Tuesday, 15 June 2021, we will start the roll-over of both the Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) of our zones. The process will take several days to complete.
We have performed algorithm roll-over previously, when we switched from RSASHA1 to RSASHA256. We wrote a RIPE Labs article about it, wherein we observed the need to perform this roll-over conservatively, in order to accommodate strict validators: https://labs.ripe.net/author/anandb/dnssec-algorithm-roll-over/
Therefore, our Knot DNS signer will use the conservative approach described in section 4.1.4 of RFC 6781. This approach ensures that even strict validators can continue to validate our DNSSEC-signed responses during the roll-over.
If you have any questions or concerns, please send an email to dns@ripe.net.
Regards, Anand Buddhdev RIPE NCC