The draft document for Multiple Algorithm Rules in DNSSEC:
https://datatracker.ietf.org/doc/draft-huque-dnsop-multi-alg-rules/ has
been updated to version 5
Beyond mainly editorial updates, the new draft adds the additional use
case for performing independent algorithm roll for KSK/ZSK, letting you
perform the algorithm roll for the KSK first and later ZSK (or vice versa).
TL;DR: This draft updates DNSSEC signing and validation rules for more
flexible handling of multiple algorithms. The current specifications
requires zones to be signed with all advertised algorithms. The draft
proposes fixes to this by defining 'universally supported' algorithms
and generally requiring a single signature from one of these, enabling:
- Multi-signer DNSSEC where providers use different algorithms.
- Zone transfers in signed state between providers having differing
algorithm support.
- Simpler algorithm rollovers. Avoids lengthy and risky double-signing
periods and allowing pre-publication of new trust anchors.
- Reducing online signer load in multi algorithm scenarios
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
