Transitioning to new algorithm for DNSSEC
frank picabia
fpicabia at gmail.com
Thu May 5 18:08:38 UTC 2022
On Thu, May 5, 2022 at 1:46 PM <nicolas at ncartron.org> wrote:
> Hi,
>
> On 5/5/22 6:37 PM, frank picabia <fpicabia at gmail.com> wrote:
> >
> > Hi,
> >
> > I've been running a Bind set up with DNSSEC for many years.
> > It was done following the guide at the digitalocean site.
> >
> > What I don't find in a nice guide, is how to change your algorithm
> > to a more current one, and seamlessly make your domain
> > run under this new chain of data.
> >
> > I tried it on my own estimates of what would be required, and
> > it seemed to be poisoned by dropping mention of the prior
> > keys files in my DNS while the Internet's cached info
> > on our DS is still out there. Whatever has happened,
> > I've got a running domain again, but there is an angry diagram
> > being drawn at https://dnsviz.net/ <https://dnsviz.net/> when my domain
> > (which
> > will remain nameless) is analyzed.
> >
> > With DNS it is always hard to tell what is going on NOW due
> > to caching, and breakage works this way as well.
> >
> > Is there a guide on transitioning the DNSSEC signing algorithm,
> > or is ISC support the best way to handle this
> > and avoid the risk of total DNS calamity?
>
> Tony wrote a nice article about that:
> https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> Cheers,
>
> --
> Nico
>
>
Thanks for that. My problem is these notes have little in common with how
the digital ocean guide
ran it (
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
),
and I don't think our domain registrar supports CDS records.
I don't understand how people can run little rndc commands as if this
sticks without putting
an include for the keys in the zone file. In our setting, we re-sign the
zone from our host management automation.
There's not enough parallel in the world of that Math department's server
and what we have in our
host management in production. Normally I'd be flexible to play around
with something
like this if it were apache or something, but I just experienced a domain
outage
that makes me prefer something I can really believe in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220505/4aebc2d3/attachment.htm>
More information about the bind-users
mailing list