kremels at kreme.com
Fri Apr 30 18:58:26 UTC 2021
On 30 Apr 2021, at 12:15, Tony Finch <dot at dotat.at> wrote:
> dig +ttlunits example.com ds @$(dig +short com ns | head -1)
I update the last of my zones over a month ago and they are still showing alg-7. The longest TTL int e zone files is 2w, but we're 29 days in.
Te signed file has
RRSIG SOA 7 2 86400 (
20210509074649 20210425064649 45309 example.com.
RRSIG SOA 13 2 86400 (
20210509074649 20210425064649 11217 example.com.
I'm sure I missed a step on these specific domains, but there are only a handful that are still using alg-7 and many more that are now on alg-13 only. The +ttlunits from above show 1d for the answer sections and 2d in the authority (com.) section.
If I do a dig ds on the domain (at 126.96.36.199 or others, in addition to my own bind server), I only get the alg-13 key, but +dnssec shows both RRSIGs
'Somewhere, A Crime Is Happening,' said Dorfl. --Feet of Clay
More information about the bind-users