How to change DNSSEC Algorithm in ISPConfig 3

This tutorial explains how to change your DNSSEC algorithm for a DNS zone managed by ISPConfig 3.

In this case, the current algorithm is 7 (NSEC3RSASHA1), and we will be moving to algorithm 13 (ECDSAP256SHA256)

Log in to the panel and open the settings for the zone. Enable the new algorithm, but DON'T disable the current algorithm yet.

When the new keys are generated, you can find them in the box "DNSSEC DS-Data for registry". You will see both the keys for your old, and for your new algorithm. It will look something like this:
; This is a zone-signing key, keyid 6417, for example.com.
; Created: 20200812004704 (Wed Aug 12 02:47:04 2020)
; Publish: 20200812004704 (Wed Aug 12 02:47:04 2020)
; Activate: 20200812004704 (Wed Aug 12 02:47:04 2020)
example.com. IN DNSKEY 257 3 13 DBOqv9nfRRmR7WoDH6WVSWra2gHkFF9gdvsVyDoyfv2D3oV3pGa2TAqw JMyLIrrB/LqyEnhowR3r9pWNISpbpw==

In this example, the keyid is 6417, it's the key-signing key (256), and the algorithm is 13.

Copy the new key-signing key to your registry, and fill in the necessary fields (ZSK/KSK, keyid, algorithm).

After adding the new KSK, wait for the changes to propagate. You can monitor this with https://dnsviz.net.

When the changes are propagated (this will probably take 4 to 24 hours), you can remove the old key(s) from your registry. Wait for these changes to propagate again. When this is propagated, you can disable the algorithm in the ISPConfig interface.

Many thanks to Th0m for writing this tutorial.

Leave a Comment