for your information, SWITCH will perform a DNSSEC algorithm rollover
from RSA to ECDSA for ch. and li.
ECDSA uses smaller keys and signatures than their RSA counterparts,
which means responses to DNS queries are smaller.
ECDSA was already standardised for use in DNSSEC in 2012. While
switch.ch has been signed with ECDSA since 2016, IANA the root zone
operator has only recently allowed TLDs to use it.
The changes to the ch. and li. zones DNSKEY record are as following with
times reported in UTC:
2018-11-21T13:30 Add new ECDSA key to DNSKEY record set
2018-12-21T13:30 Remove old RSA key from DNSKEY record set
Between this interval, the chain of trust for ch. and li. will be
updated in the root zone to point to the new ECDSA key only.
Operators of DNSSEC validating DNS resolvers do not need to do anything.
In the unlikely case that your validating DNS resolver only understands
RSA but not ECDSA, then it will answer to ch. or li. queries as if they
were not DNSSEC signed.
You can test which DNSSEC algorithms are supported by the DNS
resolver(s) configured on your system by visiting:
Daniel Stirnimann, SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24