Transitioning to new algorithm for DNSSEC
Petr Špaček
pspacek at isc.org
Thu May 5 16:45:01 UTC 2022
On 05. 05. 22 18:37, frank picabia wrote:
>
> Hi,
>
> I've been running a Bind set up with DNSSEC for many years.
> It was done following the guide at the digitalocean site.
>
> What I don't find in a nice guide, is how to change your algorithm
> to a more current one, and seamlessly make your domain
> run under this new chain of data.
>
> I tried it on my own estimates of what would be required, and
> it seemed to be poisoned by dropping mention of the prior
> keys files in my DNS while the Internet's cached info
> on our DS is still out there. Whatever has happened,
> I've got a running domain again, but there is an angry diagram
> being drawn at https://dnsviz.net/ <https://dnsviz.net/> when my domain
> (which
> will remain nameless) is analyzed.
>
> With DNS it is always hard to tell what is going on NOW due
> to caching, and breakage works this way as well.
>
> Is there a guide on transitioning the DNSSEC signing algorithm,
> or is ISC support the best way to handle this
> and avoid the risk of total DNS calamity?
We could provide specific answers if we knew enough. For "nameless
domains" the only answer I can reasonably provide is:
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
--
Petr Špaček
More information about the bind-users
mailing list