Migrating to a New Cryptographic Suite
Hauke Lampe
lampe at hauke-lampe.de
Mon Jul 26 18:38:17 UTC 2010
----- Original message -----
> At present, i
> use the algorithm RSASHA-1 for DNSKEY, but i want migrate the RSASHA-1 to
> RSASHA-256, when i resigning the zone,it failed. so i wonder if DNSSEC
> supporting migrating RSASHA-1 to RSASHA-256 smoothly?
Yes, it does. Smoothness depends on the timing. You might find this summary useful:
http://snad.ncsl.nist.gov/dnssec/download/DNSSEC_Algorithm_rollover.pdf
Did you create a new key with the appropriate algorithm ID? dnssec-signzone can only sign the zone with algorithms present in the DNSKEY set.
The actual error message would be helpful, too.
If you have registered DS records with your parent zone, you must update them to include the new key(s).
Hauke.
More information about the bind-users
mailing list