VS: 9.16.2 / DNSSEC / DS records
jukka.pakkanen at qnet.fi
Wed Apr 15 23:28:00 UTC 2020
And yet, after updating Gemtrade.fi to dnssec-policy, ZSK and KSK both "13", and updating the DS record at the .fi root, I still get:
(algorithm 13 not supportedsignature verification failed)
In Verisign DNSSEC verifier.
Lähettäjä: bind-users <bind-users-bounces at lists.isc.org> Puolesta Jukka Pakkanen
Lähetetty: 16. huhtikuuta 2020 1:22
Vastaanottaja: bind-users at isc.org
Aihe: 9.16.2 / DNSSEC / DS records
Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial...
We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?
About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com's zone data?
The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.
Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users