Feb 8 – 9, 2024 Workshop
Embassy Suites Charlotte Uptown
US/Eastern timezone

GOV multi-signer transition with NSEC/NSEC3

Feb 8, 2024, 2:20 PM
Salon A/B (Embassy Suites Charlotte Uptown)

Salon A/B

Embassy Suites Charlotte Uptown

401 East Martin Luther King Jr Blvd Charlotte NC 28202 United States
In-Person Standard Presentation Main Session OARC 42 Day 1


Christian Elmerot (Cloudflare)


In 2023 operations for the .GOV TLD transitioned from Verisign to Cloudflare. One interesting aspect of this transition was the different approaches to DNSSEC signing by Verisign and Cloudflare. Whereas Verisign uses offline signing with RSA (algorithm 8) and NSEC3, Cloudflare generally uses online signing with ECDSA (algorithm 13) and NSEC.

Although the parties agreed to transition using only RSA, we wanted to test the statement in RFC 8901 ("Multi-Signer DNSSEC Models") that says "NSEC and NSEC3 can be used by different providers to serve the same zone." After extensive testing by both parties, we found no reasons why it shouldn't work, and this approach was used for the transition. To the best of our knowledge, this is likely to be the first time that a signed zone of such significance was operated using NSEC and NSEC3 at the same time.

Primary author

Christian Elmerot (Cloudflare)

Presentation materials