DNSSEC Generating Zone Key hanging

Mark Elkins mje at posix.co.za
Sun Apr 22 16:03:42 UTC 2012 

On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
> Thanks a lot, I have now resolved this issue. However, I was following
> the DNSSEC in 6 minutes guide [1]
> for learning purposes and I have followed all the steps up to "you are
> now serving DNSSEC signed zones".

Reading the presentation - which dates itself....

Slide 16, rather use 
dnssec­keygen ­-a RSASHA256 ­-b 1024 -­n ZONE zonename   (for ZSK)

Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.

This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.




 
-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120422/f00446cf/attachment.bin>

More information about the bind-users mailing list