DNSSEC upgrade

@lbutlr kremels at kreme.com
Fri Apr 30 18:58:26 UTC 2021

On 30 Apr 2021, at 12:15, Tony Finch <dot at dotat.at> wrote:
> 	dig +ttlunits example.com ds @$(dig +short com ns | head -1)

I update the last of my zones over a month ago and they are still showing alg-7. The longest TTL int e zone files is 2w, but we're 29 days in.

Te signed file has

                        RRSIG   SOA 7 2 86400 (
                                20210509074649 20210425064649 45309 example.com.
                                GeekIXFT4s6xE8lRC3Rcx88b8YBRNnSxiy/8xqI= )
                        RRSIG   SOA 13 2 86400 (
                                20210509074649 20210425064649 11217 example.com.
                                vBSzUBNNf6u6BdQSAyQFbjD5R9g5HEKtei1yIADx8g== )

I'm sure I missed a step on these specific domains, but there are only a handful that are still using alg-7 and many more that are now on alg-13 only. The +ttlunits from above show 1d for the answer sections and 2d in the authority (com.) section.

If I do a dig ds on the domain (at or others, in addition to my own bind server), I only get the alg-13 key, but +dnssec shows both RRSIGs


'Somewhere, A Crime Is Happening,' said Dorfl. --Feet of Clay

More information about the bind-users mailing list