Mixing Algorithms for DNSSEC
mje at posix.co.za
Sun Oct 16 11:57:09 UTC 2011
On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
> On 10/15/2011 08:32 PM, Mark Elkins wrote:
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the same time start using
> > RSASHA256 on the KSK's (which cycle every month) - making any existing
> Why are you rotating your KSK monthly, but your ZSK yearly? That's the
> wrong way round, surely?
*blush* - Yes.
Should check what I write more closely. KSK about once a year and ZSK
about once a month is more or less what I really do.
Mark Elkins <mje at posix.co.za>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4007 bytes
Desc: not available
More information about the bind-users