Transitioning to new algorithm for DNSSEC
frank picabia
fpicabia at gmail.com
Thu May 5 18:53:47 UTC 2022
On Thu, May 5, 2022 at 3:48 PM Tony Finch <fanf at isc.org> wrote:
> frank picabia <fpicabia at gmail.com> wrote:
> > On Thu, May 5, 2022 at 1:46 PM <nicolas at ncartron.org> wrote:
> > >
> > > Tony wrote a nice article about that:
> > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
> >
> > Thanks for that. My problem is these notes have little in common with
> how
> > the digital ocean guide
> > ran it (
> >
> https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> > ),
>
> That guide is sadly very out of date. You really don't want to use SHA1
> (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
> and for at least 10 years it has been much easier to use `named`s
> automatic signing than to use dnssec-signzone.
>
> I think if you are still using `dnssec-signzone`, I would recommend
> switching over to automatic signing with your existing keys, before doing
> an algorithm rollover. And set up a test zone so that you can run through
> the process a few times, so that you can learn from your mistakes before
> doing it in production.
>
> > and I don't think our domain registrar supports CDS records.
>
> You can ignore the CDS stuff - my registrar didn't support it either, but
> I have tools that can use my CDS records to work out the correct thing to
> tell my registrar to do.
>
> > I don't understand how people can run little rndc commands as if this
> > sticks without putting an include for the keys in the zone file.
>
> `named` automatically adds the keys to the zone according to the timing
> information in the key files. (At least, that's the way I did it before
> dnssec-policy made things even more automatic.)
>
>
Agreed that the digital ocean guide is out of date. That's why I'm redoing
the steps with
algorithm 8. In our case, we have a DNS service to protect from DDOS
and we need to transfer the whole zone to them periodically or from updates.
I don't think the Bind built-in signing would work for this situation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220505/809bf6f8/attachment-0001.htm>
More information about the bind-users
mailing list