Transitioning to new algorithm for DNSSEC
nicolas at ncartron.org
nicolas at ncartron.org
Thu May 5 16:44:10 UTC 2022
Hi,
On 5/5/22 6:37 PM, frank picabia <fpicabia at gmail.com> wrote:
>
> Hi,
>
> I've been running a Bind set up with DNSSEC for many years.
> It was done following the guide at the digitalocean site.
>
> What I don't find in a nice guide, is how to change your algorithm
> to a more current one, and seamlessly make your domain
> run under this new chain of data.
>
> I tried it on my own estimates of what would be required, and
> it seemed to be poisoned by dropping mention of the prior
> keys files in my DNS while the Internet's cached info
> on our DS is still out there. Whatever has happened,
> I've got a running domain again, but there is an angry diagram
> being drawn at https://dnsviz.net/ <https://dnsviz.net/> when my domain
> (which
> will remain nameless) is analyzed.
>
> With DNS it is always hard to tell what is going on NOW due
> to caching, and breakage works this way as well.
>
> Is there a guide on transitioning the DNSSEC signing algorithm,
> or is ISC support the best way to handle this
> and avoid the risk of total DNS calamity?
Tony wrote a nice article about that: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
Cheers,
--
Nico
More information about the bind-users
mailing list