In January next year, Norid will perform a DNSSEC algorithm roll on the zones .no and .sj. During the roll, the DNSSEC keys in the zones (KSK and ZSK) will be changed from algorithm 8, RSASHA256, to algorithm 13, ECDSAP256SHA256.

Only the keys for our own zone data, and the signatures for these will be changed. The change will therefore not have any direct consequences for the delegated domains, and no actions needed to be done on these.

During the roll, the zones will temporarily have a double set of KSK and ZSK keys, and all the zone data will have a double set of signatures for the two keys. Because of this, the data in the .no zone will be bigger than normal, but this is not expected to be significant for resolver caches or DNS traffic.

We plan to start the roll on January 5th. The roll will go on for about 20 days.

Published: 14 December 2021
Updated: 15 December 2021