What action to take first with DS algorithm migration?
frank picabia
fpicabia at gmail.com
Wed Sep 14 14:23:26 UTC 2022
Hi,
I'm at the point in DNSSEC algorithm migration
where I have two types of keys involved in signing.
Both algorithm 7 and 8 are in use.
The top level domain registrar also has DS keys set up for both 7 and 8.
I need to coordinate pulling out algorithm 7 with the domain registrar so
our domain will be running against only algo 8.
Should the TLD registrar remove 7 first, or should I remove signing of zone
with the algo 7 keys before they make their change?
I noticed that when I tried removing signing with the algo 7 keys, and
checked
the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/
I saw errors at the analyzer like this:
The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no
RRSIG with algorithm 7 covering the RRset was returned in the response.
I'm not sure if that would be a crippling error to DNS functionality
if I didn't reverse removal of algo 7 signing, which I've done after seeing
this.
Can I do removal of algo 7 at one side prior to the
other (Bind signing vs TLD Registrar side),
or do we have to try to coordinate this with the TLD
registrar as closely as possible?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220914/134ed0c1/attachment.htm>
More information about the bind-users
mailing list