Mixing Algorithms for DNSSEC

Mark Elkins mje at posix.co.za
Sun Oct 16 11:57:09 UTC 2011

On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
> On 10/15/2011 08:32 PM, Mark Elkins wrote:
> >
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the same time start using
> > RSASHA256 on the KSK's (which cycle every month) - making any existing
> Why are you rotating your KSK monthly, but your ZSK yearly? That's the 
> wrong way round, surely?

*blush* - Yes. 
Should check what I write more closely. KSK about once a year and ZSK
about once a month is more or less what I really do.
Mark Elkins <mje at posix.co.za>
Posix Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111016/4986891e/attachment.bin>

More information about the bind-users mailing list