Mixing Algorithms for DNSSEC
Mark Elkins
mje at posix.co.za
Sat Oct 15 20:31:02 UTC 2011
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 algorithm - then just switch over to creating KSK's with
RSASHA256 as well.
I just never knew switching Algorithms would bite me. No one ever told
me.
On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote:
> On 15/10/2011 20:32, Mark Elkins wrote:
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the same time start using
> > RSASHA256 on the KSK's (which cycle every month) - making any existing
> > ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
> > further month.
>
> You don't have to wait. There's nothing to stop you doing an early key
> rollover for your ZSK, and switching algorithms. Where you can either
> revoke the old ZSK or change its expiry date -- once you've got the DS
> records in the parent updated, of course.
>
> Cheers,
>
> Matthew
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Elkins <mje at posix.co.za>
Posix Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/b9409ade/attachment.bin>
More information about the bind-users
mailing list