Content deleted Content added
→IETF publications: update to include more RFC's -- all referenced in RFC9364 |
→Key management: added paragraph about Algorithm rollover. |
||
Line 168:
When a new KSK is created, the DS record must be transferred to the parent zone and published there. The DS records use a [[message digest]] of the KSK instead of the complete key in order to keep the size of the records small. This is helpful for zones such as the [[.com]] ___domain, which are very large. The procedure to update DS keys in the parent zone is also simpler than earlier DNSSEC versions that required DNSKEY records to be in the parent zone.
A closely related principle is that of '''Algorithm rollover''', this involves migrating a zone from one signing Algorithm to another. A good example of this would be migrating from Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA/SHA-256). Several ccTLD's have already migrated including [[.at]], [[.br]], [[.cz]], [[.ch]], [[.fr]], [[.ie]], [[.nl]]<ref>{{cite web |last1=Ubbink |first1=Stefan |title=New DNSSEC algorithm for .nl |url=https://www.sidn.nl/en/news-and-blogs/new-dnssec-algorithm-for-nl |website=www.sidn.nl |access-date=29 January 2024}}</ref> and [[.ph]]. [[Verisign]] migrated .com, .net and .edu to Algorithm 13 in late 2023.<ref>{{cite web |last1=Wessels |first1=Duane |title=Verisign Will Help Strengthen Security with DNSSEC Algorithm Update |url=https://blog.verisign.com/security/dnssec-algorithm-update/ |website=Verisign Blog |access-date=29 January 2024 |date=10 August 2023}}</ref><ref>{{cite web |last1=Wessels |first1=Duane |title=Transitioning Verisign's TLDs to Elliptic Curve DNSSEC |url=https://indico.dns-oarc.net/event/47/contributions/1012/ |website=DNS-OARC |access-date=29 January 2024}}</ref> The migration of the root ___domain from Algorithm 8 to Algorithm 13 is currently in planning as of early 2024.<ref>{{cite web |title=Root Zone KSK Algorithm Rollover - ICANN |url=https://www.icann.org/resources/pages/ksk-algorithm-rollover-en |website=www.icann.org |access-date=29 January 2024}}</ref>
===DANE Working Group===
|