Dear colleagues, Rolling over the algorithm (usually to a stronger variant) used to sign a DNS zone isn't as easy as regular key roll-overs. This is because some DNSSEC validators are less forgiving than others, and fail validation unless the right combination of keys and signatures is present in a zone. This new article on RIPE Labs describes our experiences with DNSSEC algorithm roll-over: https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over We hope that our experience will help others who may be considering doing this. Kind regards, Mirjam Kuehne RIPE NCC