KSK signing all records; NSEC3 algorithm status?
bind-users+phil at spodhuis.org
Thu May 29 05:10:50 UTC 2014
On 2014-05-29 at 00:59 -0400, Phil Pennock wrote:
> The new DNSKEY had id=33768 and when I deployed it, Bind signed the SOA
> with it but nothing else.
Bind 9.10 ARM (PDF-only??):
"However, if the new key is replacing an existing key of the same
algorithm, then the zone will be re-signed incrementally, with
signatures from the old key being replaced with signatures from the new
key as their signature validity periods expire. By default, this
rollover completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset."
This is the cause, isn't it? The KSK/ZSK distinction again is
irrelevant here. I'm not seeing any way to fix this, while keeping the
current id=53065 KSK.
Is there a way to transition in a timely manner while keeping current
If not, if I were to use dnssec-settime to set the 53065 key to be
retired in two days and generate a new KSK of same algorithm, what would
the timing be on switching to the new key and getting all the records
updated? I have a two hour TTL on the DS records in the parent, which
are currently for 53065.
More information about the bind-users