[dns-operations] GOV zone operational update: DNSSEC transition to algorithm 13

Christian Elmerot christian at elmerot.se
Thu May 23 19:26:11 UTC 2024 

We are continuing the DNSSEC algorithm transition of the .GOV TLD to
algorithm 13 as the delays seen on C-root servers looks to have been 
fully fixed and been looking stable

Expect DS records for algorithm 13 to be published shortly

Christian Elmerot
Cloudflare Authoritative DNS

On 2024-05-22 09:23, Christian Elmerot wrote:
> Just a note regarding the state of the transition.
> We are fully aware and monitoring the situation around the C-root 
> servers and will not proceed with the ongoing DNSSEC algorithm roll 
> until it has stabilized.
> The .GOV TLD is now publishing DNSKEYs for both algorithm 8 and 13 and
> using both to sign the zone.
> Update to add the new algorithm 13 DS records to the root had been 
> submitted to IANA but are not yet published.
> We are putting the transition on hold for the moment until all the root
> servers are publishing the same version of the root zone
> 
> 
> On 2024-05-13 21:19, Christian Elmerot wrote:
>> Cloudflare will start the transition of the .GOV zone to use DNSSEC 
>> signing algorithm 13 (ECDSA P-256) about a week from now.
>>
>> We do not expect any action to be required by the operators of DNS 
>> resolvers or by end-users due to this change. This note is being sent 
>> as a courtesy, in the interests of operational transparency..
>>
>> We plan to start the transition on May 20th, 2024. The initial step 
>> will be to include algorithm 13 signatures alongside algorithm 8 
>> signatures in signed responses sent by the authoritative .GOV 
>> nameservers.
>>
>> The transition will proceed through the following sequence of events:
>>
>> 1. Algorithm 13 signatures are published in addition to algorithm 8 
>> signatures
>> 2. Algorithm 13 DNSKEY records are published alongside the current 
>> algorithm 8 DNSKEYs
>> 3. Algorithm 13 DS record is published in the root zone
>> 4. Algorithm 8 DS record is removed from the root zone
>> 5. Algorithm 8 DNSKEY records are removed
>> 6. Algorithm 8 signatures are removed from responses
>>
>> Cloudflare has been using algorithm 13 for zone signing since 2015, 
>> pioneering its use to the wider community. The widespread adoption 
>> since serves as a testament to the maturity of the resolver 
>> ecosystem's ability to recognize and validate the algorithm. Other 
>> important zones also use algorithm 13 today, such as the .COM and .NET 
>> Top-Level Domains (TLDs) that transitioned to algorithm 13 in the 
>> fourth quarter of 2023.
>>
>> While we anticipate minimal operational impact for end users, we 
>> encourage you to reach out to us with any questions or reports of 
>> unexpected behavior related to the transition.
>>
>> Christian Elmerot, Cloudflare
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list