CZ.NIC switches to NSEC3; is the very first to change the key algorithm

Prague, 3 August 2010 – The cryptographically stronger RSASHA512 algorithm and the very first change in key algorithm are both connected to the switching to a new version of the DNSSEC security technology – NSEC3. The CZ.NIC Association, administrator of the Czech national domain .CZ, started implementing NSEC3 this morning. The process, finishing with a request to IANA concerning the change of the root zone key, will take the whole day and is scheduled to end around 7 PM. During the switch, which will technically be closed by the end of August, all old keys will be revoked from the places where they were used before (ITAR, DLV, internet pages). The CZ.NIC Association introduced DNSSEC in autumn 2008. The implementation of NSEC3 was initiated according to schedule, after the root zone has been signed (on 15 July 2010).

“The switch to NSEC3 and the changes related to it will mostly affect operators of recursive DNS servers who perform validation using DNSSEC. If they haven’t already done so, those operators should switch to DNSSEC validation using the root zone key as soon as possible (they can find additional information on the internet site www.dnssec.cz) and upgrade to the latest version of the DNS server," advised Jaromír Talíř, technical director of the CZ.NIC Association who is supervising the implementation of NSEC3.

The whole process of key rotation and the switch to NSEC3 consists of three parts. The first already took place yesterday, and was a preparation for today’s switch. During this phase, among other things, new keys were generated. In the second step, scheduled for today, the actual change in signing will be carried out. At the end of August, the whole process is expected to finish with the entering of the new key into the root zone.

For more information on the switch to NSEC3, please visit the blog of the CZ.NIC Association.