DNSSEC upgrade
Tony Finch
dot at dotat.at
Fri Apr 30 19:08:49 UTC 2021
@lbutlr <kremels at kreme.com> wrote:
>
> I update the last of my zones over a month ago and they are still
> showing alg-7.
>
> I'm sure I missed a step on these specific domains, but there are only a
> handful that are still using alg-7 and many more that are now on alg-13
> only.
Hmm, curious!
If you have swapped the DS records already, then all that is left to do is
remove the remains of the old algorithm. Have a look at the keys for the
problem zones like this:
grep ^ Kexample.com.*.key
The algorithm 7 keys should all have inactive and delete times. If some of
the times are missing then you can fix it by re-doing the "decommission
old algorithm" step in my notes. It should get cleaned up immediately.
https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
If that doesn't fix it, then the problem is elsewhere...
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Forties, Cromarty, Forth: North or northeast 2 to 4. Slight
occasionally moderate. Showers. Good.
More information about the bind-users
mailing list