DNSSEC upgrade

Tony Finch dot at dotat.at
Fri Apr 30 19:08:49 UTC 2021


@lbutlr <kremels at kreme.com> wrote:
>
> I update the last of my zones over a month ago and they are still
> showing alg-7.
>
> I'm sure I missed a step on these specific domains, but there are only a
> handful that are still using alg-7 and many more that are now on alg-13
> only.

Hmm, curious!

If you have swapped the DS records already, then all that is left to do is
remove the remains of the old algorithm. Have a look at the keys for the
problem zones like this:

	grep ^ Kexample.com.*.key

The algorithm 7 keys should all have inactive and delete times. If some of
the times are missing then you can fix it by re-doing the "decommission
old algorithm" step in my notes. It should get cleaned up immediately.

https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html

If that doesn't fix it, then the problem is elsewhere...

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Forties, Cromarty, Forth: North or northeast 2 to 4. Slight
occasionally moderate. Showers. Good.



More information about the bind-users mailing list