Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)
Alan Batie
alan at peak.org
Thu Mar 5 01:50:11 UTC 2020
On 3/3/20 5:26 PM, Tony Finch wrote:
> If you are doing an algorithm rollover, you should have 2 keys (ZSK and
> KSK) for each algorithm, 4 keys total. I only use dnssec-signzone if I'm
> testing or doing something weird, so I'm not familiar with it. (In
> production I use automatic signing in `named` because it is easier.) But
> you might be able to follow my howto inserting a dnssec-signzone before
> rndc reload and you might get something that will approximately work...
I'm letting named do the automatic signing/generation of RRSIG records,
but unless I'm missing something, you still have to generate the DNSKEY
records manually. dnssec-verify is the tool in question complaining
about not including RSASHA1 keys and signatures. I'm still in the
initial phases of setting this up, so I don't have to worry about
algorithm rollover so much, as except for a couple of test domains,
there's no DS record to cause them to get used. I did build scripts for
doing the zsk and ksk rollovers though.
In short, I'm setting things up so there's only two keys: ksk and zsk
using RSASHA256, which I think is the way things should be these days.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200304/26976cee/attachment.bin>
More information about the bind-users
mailing list