[dns-operations] GOV zone operational update: DNSSEC transition to algorithm 13
Christian Elmerot
christian at elmerot.se
Mon May 13 19:19:34 UTC 2024
Cloudflare will start the transition of the .GOV zone to use DNSSEC
signing algorithm 13 (ECDSA P-256) about a week from now.
We do not expect any action to be required by the operators of DNS
resolvers or by end-users due to this change. This note is being sent as
a courtesy, in the interests of operational transparency..
We plan to start the transition on May 20th, 2024. The initial step will
be to include algorithm 13 signatures alongside algorithm 8 signatures
in signed responses sent by the authoritative .GOV nameservers.
The transition will proceed through the following sequence of events:
1. Algorithm 13 signatures are published in addition to algorithm 8
signatures
2. Algorithm 13 DNSKEY records are published alongside the current
algorithm 8 DNSKEYs
3. Algorithm 13 DS record is published in the root zone
4. Algorithm 8 DS record is removed from the root zone
5. Algorithm 8 DNSKEY records are removed
6. Algorithm 8 signatures are removed from responses
Cloudflare has been using algorithm 13 for zone signing since 2015,
pioneering its use to the wider community. The widespread adoption since
serves as a testament to the maturity of the resolver ecosystem's
ability to recognize and validate the algorithm. Other important zones
also use algorithm 13 today, such as the .COM and .NET Top-Level Domains
(TLDs) that transitioned to algorithm 13 in the fourth quarter of 2023.
While we anticipate minimal operational impact for end users, we
encourage you to reach out to us with any questions or reports of
unexpected behavior related to the transition.
Christian Elmerot, Cloudflare
More information about the dns-operations
mailing list