https://indico.dns-oarc.net/event/48/contributions/1038/

    
 

  * Indico style
  * Indico style - inline minutes
  * Indico style - numbered
  * Indico style - numbered + minutes
  * Indico Weeks View

 
Choose Timezone
(*) Use the event/category timezone
( ) Specify a timezone
[UTC                           ]
Save
US/Eastern English (United Kingdom)

  * Deutsch (Deutschland)
  * English (United Kingdom)
  * English (United States)
  * Espanol (Espana)
  * Francais (France)
  * Italiano (Italia)
  * Polski (Polska)
  * Portugues (Brasil)
  * Turkce (Turkiye)
  * Cestina (Cesko)
  * Mongol (Mongol)
  * Ukrayins'ka (Ukrayina)
  * Zhong Wen  (Zhong Guo )

Login

 
OARC 42
OARC 42

8-9 Feb 2024 Workshop
Embassy Suites Charlotte Uptown
US/Eastern timezone

  * DONATE
  * Overview
  * 
  * Schedule
  * Speakers & Presentations
  * 
  * 
  * Attendees List
  * Registration
      + Portal Registration Link & Instructions
  * 
  * 
  * Accommodation
  * 
  * 
  * COVID-19 Protocol
  * Parallel Events
  * Surveys
  * 
  * Mattermost: Workshops on chat.dns-oarc.net
  * 
  * About DNS-OARC
  * 
  * 

OARC Meeting Admin

  * meeting@dns-oarc.net
  * admin@dns-oarc.net
  * pc@dns-oarc.net

GOV multi-signer transition with NSEC/NSEC3

8 Feb 2024, 14:20
25m
Salon A/B (Embassy Suites Charlotte Uptown)

Salon A/B

Embassy Suites Charlotte Uptown

401 East Martin Luther King Jr Blvd Charlotte NC 28202 United States
In-Person Standard Presentation Main Session OARC 42 Day 1

Speaker

Christian Elmerot (Cloudflare)

Description

In 2023 operations for the .GOV TLD transitioned from Verisign to
Cloudflare. One interesting aspect of this transition was the
different approaches to DNSSEC signing by Verisign and Cloudflare.
Whereas Verisign uses offline signing with RSA (algorithm 8) and
NSEC3, Cloudflare generally uses online signing with ECDSA (algorithm
13) and NSEC.

Although the parties agreed to transition using only RSA, we wanted
to test the statement in RFC 8901 ("Multi-Signer DNSSEC Models") that
says "NSEC and NSEC3 can be used by different providers to serve the
same zone." After extensive testing by both parties, we found no
reasons why it shouldn't work, and this approach was used for the
transition. To the best of our knowledge, this is likely to be the
first time that a signed zone of such significance was operated using
NSEC and NSEC3 at the same time.

Primary author

Christian Elmerot (Cloudflare)

Presentation materials

gov-transition-nsec-nsec3.pdf
speaker
ElmerotQuarter.png

Indico
Powered by Indico v3.2.8

  * Help
  * Contact