Mixing Algorithms for DNSSEC
casey at deccio.net
Sat Oct 15 22:20:58 UTC 2011
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins <mje at posix.co.za> wrote:
> True - no problem with a handful of zones.
> Now assume a few thousand being automated from some script.
> Wonder if OpenDNSSEC handles this at all?
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the monthly KSK's with RSASHA1 until it sees a ZSK with the
> RSASHA256 algorithm - then just switch over to creating KSK's with
> RSASHA256 as well.
There are some documented procedures for algorithm rollovers in RFC 4641bis
that you should probably look at. The current draft is at:
see section 4.1.5.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users