OARC 42 (8-February 9, 2024): GOV multi-signer transition with NSEC/NSEC3 · DNS-OARC (Indico)
In 2023 operations for the .GOV TLD transitioned from Verisign to Cloudflare. One interesting aspect of this transition was the different approaches to DNSSEC signing by Verisign and Cloudflare. Whereas Verisign uses offline signing with RSA (algorithm 8) and NSEC3, Cloudflare generally uses online signing with ECDSA (algorithm 13) and NSEC.
Although the parties agreed to transition using only RSA, we wanted to test the statement in RFC 8901 ("Multi-Signer DNSSEC Models") that says "NSEC and NSEC3 can be used by different providers to serve the same zone." After extensive testing by both parties, we found no reasons why it shouldn't work, and this approach was used for the transition. To the best of our knowledge, this is likely to be the first time that a signed zone of such significance was operated using NSEC and NSEC3 at the same time.
