In November, Norid will perform a DNSSEC algorithm roll on all our zones under .no. The .no zone itself will not be changed at this time. During the roll, the DNSSEC keys in the zones (KSK and ZSK) will be changed from algorithm 8, RSASHA256, to algorithm 13, ECDSAP256SHA256. Only the keys for our own zone data, and the signatures for these will be changed. The change will therefore not have any direct consequences for the delegated domains, and no actions needed to be done on these.

During the roll, all the affected zones will temporarily have a double set of KSK and ZSK keys, and all the zone data will have a double set of signatures for the two keys. Because of this, the data in each zone will be bigger than normal, but this is not expected to be significant for resolver caches or DNS traffic.

We plan to start the roll on November 2nd. The roll will go on for about 20 days. The TLD zones .no and .sj are planned to be rolled early next year.

Published: 19 October 2021