Performing a signing algorithm rollover is not for the faint of heart

We are proud of our DNSSEC heritage here at Secure64. We launched the first fully automated DNSSEC signing appliance in 2008, just weeks after security researcher Dan Kaminsky made public the flaws in the DNS protocol that DNSSEC addresses. Our goal from the very beginning was to make deploying DNSSEC simple and secure. And we are now fortunate to be trusted by many organizations including top level domains, regional internet registries, government agencies and communication service providers to secure their DNS infrastructure with DNSSEC.

So when our friends at RIPE approached us for help in performing an algorithm rollover, we jumped right in. RIPE uses our DNS Signer product to sign the reverse zones that they manage. Like other early adopters of DNSSEC, RIPE had been signing their zones for many years with the RSA SHA1 algorithm. However, this algorithm had recently been found to be insufficiently strong, and RIPE wanted to transition to the stronger RSA SHA2 algorithm.

But changing a signing algorithm without breaking the chain of trust that DNSSEC relies upon is not for the faint of heart. It is extremely complicated, as it requires signing the zones with two different algorithms, waiting for a critical period of time, publishing the second signing key, waiting again, and finally removing the old signing key from the parent zone. And if any one step is performed incorrectly, your domain could be wiped off the internet. Ouch.

At the time, our DNS Signer product was able to sign a zone with a single algorithm, but not with two, which is what is required to roll an algorithm without breaking the critical chain of trust. Our development team worked closely with RIPE throughout their well designed test process to ensure that the rollover would be successfully completed. And we all learned some important lessons on best practices when we hit an unexpected snag with other validating resolvers during testing that had to be worked through.

But thanks to RIPE’s pioneering efforts, Secure64 Signer customers can now roll their signing algorithms with confidence.

img_tech_handwithmobilelaptoptv

You can read more about RIPE’s experience with algorithm rollover at:

DNS Rollover

0 2756
Theresa DeGroote

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.