SlideShare a Scribd company logo

Simon

AFRINIC
AFRINIC

The document discusses the key signing key (KSK) algorithm rollover process for the .tz domain. It implemented a "double RRset" rollover method, where it generated a signed zone file with signatures from both the old and new KSK, submitted the new DS record to IANA, and waited for caches to expire before removing the old DNSKEY and DS records. This process allowed the .tz registry to upgrade its software while rolling over its KSK to a new algorithm, addressing security recommendations against the SHA1 algorithm. It required a manual process using dnssec-signzone due to limitations in OpenDNSSEC's support for multiple concurrent algorithms and offline KSKs.

Government & Nonprofit
1 of 11
Download to read offline
.TZ KSK Algorithm Rollover AIS 2015 Tunis, Tunisia 24.05.2015 - 05.06.2015 Simon M. Balthazar
Background ● .TZ zone was signed back in 2012 ● Uses Algorithm 5 (RSASHA1) ● Only algorithm supported by the version of the registry software used at the time of implementation ● Adopted OpenDNSSEC for key management ● Upgrade of the registry software in 2014 ● First KSK rollover in 2014
Motivation ● Deprecation of SHA1 algorithm as recommended by NIST ● Migration to NSEC3 to prevent zone walking
KSK Rollover Methods ● Double Signature ● the new KSK is added to the DNSKEY RRset which is then signed with both the old and new key. After waiting for the old RRset to expire from caches, the DS record in the parent zone is changed. After waiting a further interval for this change to be reflected in caches, the old key is removed from the RRset. ● Double DS ● the new DS record is published. After waiting for this change to propagate into the caches of all validating resolvers, the KSK is changed. After a further interval during which the old DNSKEY RRset expires from caches, the old DS record is removed. ● Double RRset ● the new KSK is added to the DNSKEY RRset which is then signed with both the old and new key, and the new DS record added to the parent zone. After waiting a suitable interval for the old DS and DNSKEY RRsets to expire from validating resolver caches, the old DNSKEY and DS record are removed
Challenges ● Algorithm rollover requires simultaneously supporting multiple algorithm. OpenDNSSEC does not support this currently. ● OpenDNSSEC currently does not support Offline KSK.
Solution ● Manual process for the algorithm rollover is required using dnssec-signzone. – Pre generate a signed zone with double KSK and ZSK signatures using existing keys and the new keys – Test on development machine whether the zone still validates using the existing DS in the root/parent zone as well as new DS – Publish the new zone – Wait for any feedback due to more increased packet size. – Continue to update the zone with two signatures (ZSK) as changes comes in. – Submit a second DS record for the new algorithm to IANA.
Double RRset for .tz
Upload the DS to the Root
Regular Single Algorithm Zone ● Pre-generate a regular single algorithm zone using the new algorithm ● Swap the new zone in and publish. Wait for feedback ● Ask IANA to remove the old DS. Wait for feedback.
Conclusion ● Two birds One stone! ● This process allowed us to move to the new automated platform smoothly as the new keys were imported to the newer version of OpenDNSSEC for keys management
Questions simon@tznic.or.tz

Recommended

Processing Big Data in Real-Time - Yanai Franchi, Tikal
Processing Big Data in Real-Time - Yanai Franchi, TikalProcessing Big Data in Real-Time - Yanai Franchi, Tikal
Processing Big Data in Real-Time - Yanai Franchi, Tikal
Codemotion Tel Aviv
 
PTD and beyond
PTD and beyondPTD and beyond
PTD and beyond
Johan Gustavsson
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and Metrics
Ricardo Lourenço
 
No sql & dq2 tracer service
No sql & dq2 tracer serviceNo sql & dq2 tracer service
No sql & dq2 tracer service
Zang Donal
 
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
InfluxData
 
How Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferHow Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and Safer
ScyllaDB
 
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
OpenStack
 
Taskerman - a distributed cluster task manager
Taskerman - a distributed cluster task managerTaskerman - a distributed cluster task manager
Taskerman - a distributed cluster task manager
Raghavendra Prabhu
 

Recommended

Processing Big Data in Real-Time - Yanai Franchi, Tikal
Processing Big Data in Real-Time - Yanai Franchi, TikalProcessing Big Data in Real-Time - Yanai Franchi, Tikal
Processing Big Data in Real-Time - Yanai Franchi, Tikal
Codemotion Tel Aviv
 
PTD and beyond
PTD and beyondPTD and beyond
PTD and beyond
Johan Gustavsson
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and Metrics
Ricardo Lourenço
 
No sql & dq2 tracer service
No sql & dq2 tracer serviceNo sql & dq2 tracer service
No sql & dq2 tracer service
Zang Donal
 
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
Frossie Economou & Angelo Fausti [Vera C. Rubin Observatory] | How InfluxDB H...
InfluxData
 
How Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and SaferHow Scylla Make Adding and Removing Nodes Faster and Safer
How Scylla Make Adding and Removing Nodes Faster and Safer
ScyllaDB
 
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...
OpenStack
 
Taskerman - a distributed cluster task manager
Taskerman - a distributed cluster task managerTaskerman - a distributed cluster task manager
Taskerman - a distributed cluster task manager
Raghavendra Prabhu
 
Mario on spark
Mario on sparkMario on spark
Mario on spark
Igor Berman
 
Principles in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, ConfluentPrinciples in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, Confluent
HostedbyConfluent
 
Heatmap
HeatmapHeatmap
Heatmap
Tikal Knowledge
 
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward
 
Getting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcuGetting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcu
Elaf A.Saeed
 
Processing Big Data in Realtime
Processing Big Data in RealtimeProcessing Big Data in Realtime
Processing Big Data in RealtimeTikal Knowledge
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
Gordon Chung
 
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Bonaventura Del Monte
 
Kafka short
Kafka shortKafka short
Kafka shortTikal Knowledge
 
Cassandra Lan party
Cassandra Lan partyCassandra Lan party
Cassandra Lan party
Gérald Quintana
 
Stabilising the jenga tower
Stabilising the jenga towerStabilising the jenga tower
Stabilising the jenga tower
Gordon Chung
 
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
Codemotion Tel Aviv
 
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Ontico
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Junho Suh
 
Taller syslog
Taller syslogTaller syslog
Taller syslog
Alumic S.A
 
Ensuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop EnvironmentsEnsuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop Environments
Becky Mendenhall
 
Fun421 stephens
Fun421 stephensFun421 stephens
Fun421 stephens
Tess Ferrandez
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward
 
Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)
PingCAP
 
And Then There Are Algorithms
And Then There Are AlgorithmsAnd Then There Are Algorithms
And Then There Are Algorithms
InfluxData
 
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Hien Nguyen Van
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 

More Related Content

What's hot

Mario on spark
Mario on sparkMario on spark
Mario on spark
Igor Berman
 
Principles in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, ConfluentPrinciples in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, Confluent
HostedbyConfluent
 
Heatmap
HeatmapHeatmap
Heatmap
Tikal Knowledge
 
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward
 
Getting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcuGetting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcu
Elaf A.Saeed
 
Processing Big Data in Realtime
Processing Big Data in RealtimeProcessing Big Data in Realtime
Processing Big Data in RealtimeTikal Knowledge
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
Gordon Chung
 
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Bonaventura Del Monte
 
Cassandra Lan party
Cassandra Lan partyCassandra Lan party
Cassandra Lan party
Gérald Quintana
 
Stabilising the jenga tower
Stabilising the jenga towerStabilising the jenga tower
Stabilising the jenga tower
Gordon Chung
 
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
Codemotion Tel Aviv
 
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Ontico
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Junho Suh
 
Taller syslog
Taller syslogTaller syslog
Taller syslog
Alumic S.A
 
Ensuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop EnvironmentsEnsuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop Environments
Becky Mendenhall
 
Fun421 stephens
Fun421 stephensFun421 stephens
Fun421 stephens
Tess Ferrandez
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward
 
Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)
PingCAP
 
And Then There Are Algorithms
And Then There Are AlgorithmsAnd Then There Are Algorithms
And Then There Are Algorithms
InfluxData
 

What's hot (20)

Mario on spark
Mario on sparkMario on spark
Mario on spark
 
Principles in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, ConfluentPrinciples in Data Stream Processing | Matthias J Sax, Confluent
Principles in Data Stream Processing | Matthias J Sax, Confluent
 
Heatmap
HeatmapHeatmap
Heatmap
 
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
Flink Forward Berlin 2017: Robert Metzger - Keep it going - How to reliably a...
 
Getting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcuGetting date and time from ntp server with esp8266 node mcu
Getting date and time from ntp server with esp8266 node mcu
 
Processing Big Data in Realtime
Processing Big Data in RealtimeProcessing Big Data in Realtime
Processing Big Data in Realtime
 
Anatomy of an action
Anatomy of an actionAnatomy of an action
Anatomy of an action
 
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
Efficient Migration of Very Large Distributed State for Scalable Stream Proce...
 
Kafka short
Kafka shortKafka short
Kafka short
 
Cassandra Lan party
Cassandra Lan partyCassandra Lan party
Cassandra Lan party
 
Stabilising the jenga tower
Stabilising the jenga towerStabilising the jenga tower
Stabilising the jenga tower
 
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
S3, Cassandra or Outer Space? Dumping Time Series Data using Spark - Demi Ben...
 
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
Анализ телеметрии при масштабировании, Theo Schlossnagle (Circonus)
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
 
Taller syslog
Taller syslogTaller syslog
Taller syslog
 
Ensuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop EnvironmentsEnsuring QoS in Multi-tenant Hadoop Environments
Ensuring QoS in Multi-tenant Hadoop Environments
 
Fun421 stephens
Fun421 stephensFun421 stephens
Fun421 stephens
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
 
Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)Golang in TiDB (GopherChina 2017)
Golang in TiDB (GopherChina 2017)
 
And Then There Are Algorithms
And Then There Are AlgorithmsAnd Then There Are Algorithms
And Then There Are Algorithms
 

Similar to Simon

Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Hien Nguyen Van
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Third Party DNS Operator to Registries/Registrars Protocol
Third Party DNS Operator to Registries/Registrars ProtocolThird Party DNS Operator to Registries/Registrars Protocol
Third Party DNS Operator to Registries/Registrars Protocol
APNIC
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
Deploy360 Programme (Internet Society)
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching Revisited
APNIC
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
Han Zhou
 
Scale by the Bay 2019 Reprogramming the Programmer
Scale by the Bay 2019 Reprogramming the ProgrammerScale by the Bay 2019 Reprogramming the Programmer
Scale by the Bay 2019 Reprogramming the Programmer
Paul Cleary
 
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic AlgorithmsChallenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Deploy360 Programme (Internet Society)
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
APNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
Kumar Ashutosh
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
Introduction to Postrges-XC
Introduction to Postrges-XCIntroduction to Postrges-XC
Introduction to Postrges-XC
Ashutosh Bapat
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Erik Krogen
 

Similar to Simon (20)

Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
Kubecon shanghai rook deployed nfs clusters over ceph-fs (translator copy)
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Third Party DNS Operator to Registries/Registrars Protocol
Third Party DNS Operator to Registries/Registrars ProtocolThird Party DNS Operator to Registries/Registrars Protocol
Third Party DNS Operator to Registries/Registrars Protocol
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching Revisited
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
 
Scale by the Bay 2019 Reprogramming the Programmer
Scale by the Bay 2019 Reprogramming the ProgrammerScale by the Bay 2019 Reprogramming the Programmer
Scale by the Bay 2019 Reprogramming the Programmer
 
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic AlgorithmsChallenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic Algorithms
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
Introduction to Postrges-XC
Introduction to Postrges-XCIntroduction to Postrges-XC
Introduction to Postrges-XC
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
 

More from AFRINIC

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussion
AFRINIC
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)
AFRINIC
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017
AFRINIC
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)
AFRINIC
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...
AFRINIC
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level Latencies
AFRINIC
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country Latencies
AFRINIC
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sector
AFRINIC
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENs
AFRINIC
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency Clustering
AFRINIC
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017
AFRINIC
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoU
AFRINIC
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
AFRINIC
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From Africa
AFRINIC
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital Resilience
AFRINIC
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENs
AFRINIC
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in Africa
AFRINIC
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool
AFRINIC
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicators
AFRINIC
 
Beyond access: measuring digital inequalities
Beyond access: measuring digital inequalitiesBeyond access: measuring digital inequalities
Beyond access: measuring digital inequalities
AFRINIC
 

More from AFRINIC (20)

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussion
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level Latencies
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country Latencies
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sector
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENs
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency Clustering
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoU
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From Africa
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital Resilience
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENs
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in Africa
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicators
 
Beyond access: measuring digital inequalities
Beyond access: measuring digital inequalitiesBeyond access: measuring digital inequalities
Beyond access: measuring digital inequalities
 

Recently uploaded

如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
850fcj96
 
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
ehbuaw
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
Saeed Al Dhaheri
 
PPT Item # 6 - 7001 Broadway ARB Case # 933F
PPT Item # 6 - 7001 Broadway ARB Case # 933FPPT Item # 6 - 7001 Broadway ARB Case # 933F
PPT Item # 6 - 7001 Broadway ARB Case # 933F
ahcitycouncil
 
PPT Item # 8 - Tuxedo Columbine 3way Stop
PPT Item # 8 - Tuxedo Columbine 3way StopPPT Item # 8 - Tuxedo Columbine 3way Stop
PPT Item # 8 - Tuxedo Columbine 3way Stop
ahcitycouncil
 
Russian anarchist and anti-war movement in the third year of full-scale war
Russian anarchist and anti-war movement in the third year of full-scale warRussian anarchist and anti-war movement in the third year of full-scale war
Russian anarchist and anti-war movement in the third year of full-scale war
Antti Rautiainen
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
Get Government Grants
 
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
evkovas
 
PACT launching workshop presentation-Final.pdf
PACT launching workshop presentation-Final.pdfPACT launching workshop presentation-Final.pdf
PACT launching workshop presentation-Final.pdf
Mohammed325561
 
PPT Item # 5 - 5330 Broadway ARB Case # 930F
PPT Item # 5 - 5330 Broadway ARB Case # 930FPPT Item # 5 - 5330 Broadway ARB Case # 930F
PPT Item # 5 - 5330 Broadway ARB Case # 930F
ahcitycouncil
 
What is the point of small housing associations.pptx
What is the point of small housing associations.pptxWhat is the point of small housing associations.pptx
What is the point of small housing associations.pptx
Paul Smith
 
Many ways to support street children.pptx
Many ways to support street children.pptxMany ways to support street children.pptx
Many ways to support street children.pptx
SERUDS INDIA
 
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
ehbuaw
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
JSchaus & Associates
 
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
ehbuaw
 
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptxPD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
RIDPRO11
 
The Role of a Process Server in real estate
The Role of a Process Server in real estateThe Role of a Process Server in real estate
The Role of a Process Server in real estate
oklahomajudicialproc1
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Congressional Budget Office
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
AjayVejendla3
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
ARCResearch
 

Recently uploaded (20)

如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
 
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
一比一原版(ANU毕业证)澳大利亚国立大学毕业证成绩单
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
 
PPT Item # 6 - 7001 Broadway ARB Case # 933F
PPT Item # 6 - 7001 Broadway ARB Case # 933FPPT Item # 6 - 7001 Broadway ARB Case # 933F
PPT Item # 6 - 7001 Broadway ARB Case # 933F
 
PPT Item # 8 - Tuxedo Columbine 3way Stop
PPT Item # 8 - Tuxedo Columbine 3way StopPPT Item # 8 - Tuxedo Columbine 3way Stop
PPT Item # 8 - Tuxedo Columbine 3way Stop
 
Russian anarchist and anti-war movement in the third year of full-scale war
Russian anarchist and anti-war movement in the third year of full-scale warRussian anarchist and anti-war movement in the third year of full-scale war
Russian anarchist and anti-war movement in the third year of full-scale war
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
 
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
一比一原版(WSU毕业证)西悉尼大学毕业证成绩单
 
PACT launching workshop presentation-Final.pdf
PACT launching workshop presentation-Final.pdfPACT launching workshop presentation-Final.pdf
PACT launching workshop presentation-Final.pdf
 
PPT Item # 5 - 5330 Broadway ARB Case # 930F
PPT Item # 5 - 5330 Broadway ARB Case # 930FPPT Item # 5 - 5330 Broadway ARB Case # 930F
PPT Item # 5 - 5330 Broadway ARB Case # 930F
 
What is the point of small housing associations.pptx
What is the point of small housing associations.pptxWhat is the point of small housing associations.pptx
What is the point of small housing associations.pptx
 
Many ways to support street children.pptx
Many ways to support street children.pptxMany ways to support street children.pptx
Many ways to support street children.pptx
 
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
一比一原版(UQ毕业证)昆士兰大学毕业证成绩单
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
 
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
一比一原版(UOW毕业证)伍伦贡大学毕业证成绩单
 
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptxPD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
 
The Role of a Process Server in real estate
The Role of a Process Server in real estateThe Role of a Process Server in real estate
The Role of a Process Server in real estate
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
 

Simon

  • 1. .TZ KSK Algorithm Rollover AIS 2015 Tunis, Tunisia 24.05.2015 - 05.06.2015 Simon M. Balthazar
  • 2. Background ● .TZ zone was signed back in 2012 ● Uses Algorithm 5 (RSASHA1) ● Only algorithm supported by the version of the registry software used at the time of implementation ● Adopted OpenDNSSEC for key management ● Upgrade of the registry software in 2014 ● First KSK rollover in 2014
  • 3. Motivation ● Deprecation of SHA1 algorithm as recommended by NIST ● Migration to NSEC3 to prevent zone walking
  • 4. KSK Rollover Methods ● Double Signature ● the new KSK is added to the DNSKEY RRset which is then signed with both the old and new key. After waiting for the old RRset to expire from caches, the DS record in the parent zone is changed. After waiting a further interval for this change to be reflected in caches, the old key is removed from the RRset. ● Double DS ● the new DS record is published. After waiting for this change to propagate into the caches of all validating resolvers, the KSK is changed. After a further interval during which the old DNSKEY RRset expires from caches, the old DS record is removed. ● Double RRset ● the new KSK is added to the DNSKEY RRset which is then signed with both the old and new key, and the new DS record added to the parent zone. After waiting a suitable interval for the old DS and DNSKEY RRsets to expire from validating resolver caches, the old DNSKEY and DS record are removed
  • 5. Challenges ● Algorithm rollover requires simultaneously supporting multiple algorithm. OpenDNSSEC does not support this currently. ● OpenDNSSEC currently does not support Offline KSK.
  • 6. Solution ● Manual process for the algorithm rollover is required using dnssec-signzone. – Pre generate a signed zone with double KSK and ZSK signatures using existing keys and the new keys – Test on development machine whether the zone still validates using the existing DS in the root/parent zone as well as new DS – Publish the new zone – Wait for any feedback due to more increased packet size. – Continue to update the zone with two signatures (ZSK) as changes comes in. – Submit a second DS record for the new algorithm to IANA.
  • 8. Upload the DS to the Root
  • 9. Regular Single Algorithm Zone ● Pre-generate a regular single algorithm zone using the new algorithm ● Swap the new zone in and publish. Wait for feedback ● Ask IANA to remove the old DS. Wait for feedback.
  • 10. Conclusion ● Two birds One stone! ● This process allowed us to move to the new automated platform smoothly as the new keys were imported to the newer version of OpenDNSSEC for keys management