[dns-operations] GOV zone operational update: DNSSEC transition to algorithm 13

Christian Elmerot christian at elmerot.se
Wed May 22 07:23:12 UTC 2024

Just a note regarding the state of the transition.
We are fully aware and monitoring the situation around the C-root 
servers and will not proceed with the ongoing DNSSEC algorithm roll 
until it has stabilized.
The .GOV TLD is now publishing DNSKEYs for both algorithm 8 and 13 and
using both to sign the zone.
Update to add the new algorithm 13 DS records to the root had been 
submitted to IANA but are not yet published.
We are putting the transition on hold for the moment until all the root
servers are publishing the same version of the root zone

On 2024-05-13 21:19, Christian Elmerot wrote:
> Cloudflare will start the transition of the .GOV zone to use DNSSEC 
> signing algorithm 13 (ECDSA P-256) about a week from now.
> We do not expect any action to be required by the operators of DNS 
> resolvers or by end-users due to this change. This note is being sent as 
> a courtesy, in the interests of operational transparency..
> We plan to start the transition on May 20th, 2024. The initial step will 
> be to include algorithm 13 signatures alongside algorithm 8 signatures 
> in signed responses sent by the authoritative .GOV nameservers.
> The transition will proceed through the following sequence of events:
> 1. Algorithm 13 signatures are published in addition to algorithm 8 
> signatures
> 2. Algorithm 13 DNSKEY records are published alongside the current 
> algorithm 8 DNSKEYs
> 3. Algorithm 13 DS record is published in the root zone
> 4. Algorithm 8 DS record is removed from the root zone
> 5. Algorithm 8 DNSKEY records are removed
> 6. Algorithm 8 signatures are removed from responses
> Cloudflare has been using algorithm 13 for zone signing since 2015, 
> pioneering its use to the wider community. The widespread adoption since 
> serves as a testament to the maturity of the resolver ecosystem's 
> ability to recognize and validate the algorithm. Other important zones 
> also use algorithm 13 today, such as the .COM and .NET Top-Level Domains 
> (TLDs) that transitioned to algorithm 13 in the fourth quarter of 2023.
> While we anticipate minimal operational impact for end users, we 
> encourage you to reach out to us with any questions or reports of 
> unexpected behavior related to the transition.
> Christian Elmerot, Cloudflare
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Christian Elmerot
Cloudflare Authoritative DNS

More information about the dns-operations mailing list