Mixing Algorithms for DNSSEC
Casey Deccio
casey at deccio.net
Sat Oct 15 22:20:58 UTC 2011
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins <mje at posix.co.za> wrote:
> True - no problem with a handful of zones.
>
> Now assume a few thousand being automated from some script.
>
> Wonder if OpenDNSSEC handles this at all?
>
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the monthly KSK's with RSASHA1 until it sees a ZSK with the
> RSASHA256 algorithm - then just switch over to creating KSK's with
> RSASHA256 as well.
>
>
There are some documented procedures for algorithm rollovers in RFC 4641bis
that you should probably look at. The current draft is at:
http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-07
see section 4.1.5.
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/078716e3/attachment.html>
More information about the bind-users
mailing list