DNSSEC upgrade

Tony Finch dot at dotat.at
Fri Apr 30 19:08:49 UTC 2021

@lbutlr <kremels at kreme.com> wrote:
> I update the last of my zones over a month ago and they are still
> showing alg-7.
> I'm sure I missed a step on these specific domains, but there are only a
> handful that are still using alg-7 and many more that are now on alg-13
> only.

Hmm, curious!

If you have swapped the DS records already, then all that is left to do is
remove the remains of the old algorithm. Have a look at the keys for the
problem zones like this:

	grep ^ Kexample.com.*.key

The algorithm 7 keys should all have inactive and delete times. If some of
the times are missing then you can fix it by re-doing the "decommission
old algorithm" step in my notes. It should get cleaned up immediately.


If that doesn't fix it, then the problem is elsewhere...

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Forties, Cromarty, Forth: North or northeast 2 to 4. Slight
occasionally moderate. Showers. Good.

More information about the bind-users mailing list