AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.
We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.
We will explain why we had to improve our infrastructure of AEP Keyper HSMs, why we had to change all our key policies (good bye standbye keys) and migrate from OpenDNSSEC 1.4 to 2.1 version. We also had to change the way we compile/use Bind and of course adapt our "home made" applications. Of course we had some issues, found some limitations in tools but at the end we have imroved many things.
Postponement (Please leave blank)
- Physical or virtual OARC 34
AFNIC migration to ECDSACurve P-256 with SHA-256
|Talk Duration||20 minutes|