9.16.2 / DNSSEC / DS records
marka at isc.org
Thu Apr 16 00:43:46 UTC 2020
Well the tester doesn’t support algorithm 13. The red x’s should be cautions as they aren’t failures (no working ds/dnskey pairs for supported algorithms in use), but rather the zone should be treated as insecure by the tester.
> On 16 Apr 2020, at 09:28, Jukka Pakkanen <jukka.pakkanen at qnet.fi> wrote:
> And yet, after updating Gemtrade.fi to dnssec-policy, ZSK and KSK both “13”, and updating the DS record at the .fi root, I still get:
> (algorithm 13 not supportedsignature verification failed)
> In Verisign DNSSEC verifier.
> Lähettäjä: bind-users <bind-users-bounces at lists.isc.org> Puolesta Jukka Pakkanen
> Lähetetty: 16. huhtikuuta 2020 1:22
> Vastaanottaja: bind-users at isc.org
> Aihe: 9.16.2 / DNSSEC / DS records
> Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial…
> We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?
> About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone data?
> The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.
> Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users