Mixing Algorithms for DNSSEC
Phil Mayers
p.mayers at imperial.ac.uk
Sun Oct 16 11:13:30 UTC 2011
On 10/15/2011 08:32 PM, Mark Elkins wrote:
>
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every month) - making any existing
Why are you rotating your KSK monthly, but your ZSK yearly? That's the
wrong way round, surely?
(ZSK signs a lot more data, so a determined attacker has much more
known-plaintext with which to brute-force your ZSK; KSK only signs the
ZSK, so can be left in-place for longer)
More information about the bind-users
mailing list