DNSSEC is the security extension of DNS and it is recommended to enable DNSSEC in all zones to mitigate DNS cache poisoning attacks. KSK (Key signing key) and ZSK (zone signing key) are used to generate RRSIGs of the zone records and the algorithms used to generate KSK/ZSK is very important in generating strong RRSIGs. Some of the zones has used SHA-1 as the security algorithm for KSK and ZSK. As the SHA-1 is an outdated algorithm, it is required to change the key algorithm in those zones. Anyone having any experiences in DNSSEC key algorithm roll over process, please let me know.
Thanks
Chamara Disanayake
Dr Zeashan H. Khan
Thanks for your answer and as I have noticed, this RFC is discussing about the key rollover but not the algorithm rollover. It has a small notice related to algorithm roll over but not enough details in it. Thanks and will look for more detailed resources.
0 votes
0 thanks
- Badges
- Science topic
- Similar topics
- Geoscience
- Asia
- India
More Chamara Disanayake's questions See All
Similar questions and discussions