Transitioning to new algorithm for DNSSEC
Tony Finch
fanf at isc.org
Thu May 5 18:48:38 UTC 2022
frank picabia <fpicabia at gmail.com> wrote:
> On Thu, May 5, 2022 at 1:46 PM <nicolas at ncartron.org> wrote:
> >
> > Tony wrote a nice article about that:
> > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> Thanks for that. My problem is these notes have little in common with how
> the digital ocean guide
> ran it (
> https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> ),
That guide is sadly very out of date. You really don't want to use SHA1
(https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
and for at least 10 years it has been much easier to use `named`s
automatic signing than to use dnssec-signzone.
I think if you are still using `dnssec-signzone`, I would recommend
switching over to automatic signing with your existing keys, before doing
an algorithm rollover. And set up a test zone so that you can run through
the process a few times, so that you can learn from your mistakes before
doing it in production.
> and I don't think our domain registrar supports CDS records.
You can ignore the CDS stuff - my registrar didn't support it either, but
I have tools that can use my CDS records to work out the correct thing to
tell my registrar to do.
> I don't understand how people can run little rndc commands as if this
> sticks without putting an include for the keys in the zone file.
`named` automatically adds the keys to the zone according to the timing
information in the key files. (At least, that's the way I did it before
dnssec-policy made things even more automatic.)
--
Tony Finch <fanf at isc.org> (he/they) Cambridge, England
Trafalgar: Northerly or northeasterly 4 or 5, occasionally 3 in far
southeast. Moderate, but slight in far southeast. Fair. Good.
More information about the bind-users
mailing list