Sep 28 – 29, 2020 AGM
UTC timezone

Our journey to elliptic stuff

Sep 28, 2020, 5:00 PM
Standard Presentation Online Workshop OARC 33 Day 1


Vincent Levigneron (AFNIC)


AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.

We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.

We will explain why we had to improve our infrastructure of AEP Keyper HSMs, why we had to change all our key policies (good bye standbye keys) and migrate from OpenDNSSEC 1.4 to 2.1 version. We also had to change the way we compile/use Bind and of course adapt our "home made" applications. Of course we had some issues, found some limitations in tools but at the end we have imroved many things.


AFNIC migration to ECDSACurve P-256 with SHA-256

Postponement (Please leave blank)

  • Physical or virtual OARC 34
Talk Duration 20 minutes

Primary author

Vincent Levigneron (AFNIC)

Presentation materials