[dns-operations] GOV zone operational update: DNSSEC transition to algorithm 13

Christian Elmerot christian at elmerot.se
Mon May 13 19:19:34 UTC 2024

Cloudflare will start the transition of the .GOV zone to use DNSSEC 
signing algorithm 13 (ECDSA P-256) about a week from now.

We do not expect any action to be required by the operators of DNS 
resolvers or by end-users due to this change. This note is being sent as 
a courtesy, in the interests of operational transparency..

We plan to start the transition on May 20th, 2024. The initial step will 
be to include algorithm 13 signatures alongside algorithm 8 signatures 
in signed responses sent by the authoritative .GOV nameservers.

The transition will proceed through the following sequence of events:

1. Algorithm 13 signatures are published in addition to algorithm 8 
2. Algorithm 13 DNSKEY records are published alongside the current 
algorithm 8 DNSKEYs
3. Algorithm 13 DS record is published in the root zone
4. Algorithm 8 DS record is removed from the root zone
5. Algorithm 8 DNSKEY records are removed
6. Algorithm 8 signatures are removed from responses

Cloudflare has been using algorithm 13 for zone signing since 2015, 
pioneering its use to the wider community. The widespread adoption since 
serves as a testament to the maturity of the resolver ecosystem's 
ability to recognize and validate the algorithm. Other important zones 
also use algorithm 13 today, such as the .COM and .NET Top-Level Domains 
(TLDs) that transitioned to algorithm 13 in the fourth quarter of 2023.

While we anticipate minimal operational impact for end users, we 
encourage you to reach out to us with any questions or reports of 
unexpected behavior related to the transition.

Christian Elmerot, Cloudflare

More information about the dns-operations mailing list