BIND9 DNSSEC algorithm rollover for inline-signed zone

Sebastian Wiesinger sebastian at karotte.org
Thu Oct 6 20:57:13 UTC 2016


Hello,

is there a guide for an algorithm rollover with BIND9 for an
inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
find a good guide for it. I already looked at the ISC DNSSEC Guide but
it doesn't seem to cover that the RRSIGs made by the new keys need to
be published before the DNSKEYs themselves are published in the zone.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the bind-users mailing list