If we’ve ever spoken about DNSSEC key rollovers you’ll recall that I typically respond with something along the lines of why would you want to do that? or when was the last time you rolled your car keys?

It’s against the recommendations to not roll keys, and I’m all for recommendations except when they recommend that I roll my keys. :-) Some of you might have been surprised then to see me write that I was in midst of a DNSSEC key rollover.

To be honest, it’s the first time I do so for any of my domains which I originally signed with RSASHA256 (algorithm 8) on PowerDNS. A lot of time has passed since then, including a migration to a new BIND environment, and I exported the original keys and carried on using them on BIND. Why unnecessarily roll a key? The only reason I’m now rolling is because I’m changing the key algorithm to ECDSAP256SHA256 (algorithm 13).

As soon as these two rollovers are complete, I’m not likely to do another for my own zones. It’s nerve-racking. #justkidding