DNSSEC upgrade

Edwardo Garcia wdgarc88 at gmail.com
Wed Apr 28 00:52:41 UTC 2021

Halo all,

Many year ago we set up DNSSEC, our key were generated with sha1 as was
recommended way back all them years. We too are not DNSSEC guru, so some
answer may be simple

Now we want to upsecure this to sha256.

Also we use ZSK -b 1024 and KSK -b 4096
even modern google from apnic show example  ZSK of only 1024? is this still

Is best practise for doing this, replacing the keys completely, more or
less like start fresh again?

We do use inline signing and automatic maintain.

I see 9.16 make it easy by not needing do anything but set policy, but we
are stuck on 9.14 for time being.

I am ok with wiping DS, keys everything and start fresh if that is easiest,
unless there is another simple way?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210428/afaa28b6/attachment.htm>

More information about the bind-users mailing list