Skip to content

WIP: Security improvement: Switch DNSSEC Key algorithm to RSASHA256 for new keys

I suggest changing the key hash algorithm to RSASHA256 as this is now the most commonly used one. This is also used in Root-Zones.

This change should only affect newly generated keys. Old keys will stay in place and be used to sign existing zones. No Key-Rollover required (if one wants to change an existing zone to RSASHA256 one would need to do a manual rollover by creating a new key by hand, publishing it as secondary key, waiting a safe amount of time and exchange the keyfiles by hand).

I think I also saw some issues requesting this...

Note: This is still an untested WIP - just wanted to inform you about that! A few more changes required... I am working on this in my spare time...

Merge request reports