After watching the root DNSSEC KSK rollover transpire with no notable fallout, I thought it would be a good time to try a rollover of my own. My attitude towards DNSSEC has been to set it and forget it, so I've never touched a zone's keys after the initial signing procedure. What better time to practice a rollover than when it's top of mind?
While I was poking around, I decided the key tags for this zone were a little boring and could use some spicing up:
[parse@stemmons ~]$ delv DNSKEY shaunc.com. +nocrypto +short 256 3 8 [key id = 18723] ; ZSK; alg = RSASHA256 ; key id = 18723 257 3 8 [key id = 1300] ; KSK; alg = RSASHA256 ; key id = 1300
Key tags, like 1300 and 18723 above, are generated random-ish-ly when you mint a new key with
dnssec-keygen. There's a function that computes the key tag based on the key type, protocol, algorithm, and key text. Considering that the ...