AW: Deprecating auto-dnssec and inline-signing in 9.18+
Matthijs Mekking
matthijs at isc.org
Tue Aug 10 12:51:58 UTC 2021
Hi Klaus,
On 10-08-2021 13:38, Klaus Darilion wrote:
> Hi Matthijs!
>
>> We would like to encourage you to change your configurations to
>> 'dnssec-policy'. See this KB article for migration help:
>>
>> https://kb.isc.org/docs/dnssec-key-and-signing-policy
>
> Some comments to this KB article and dnssec-policy:
>
> - The article should mention how to retrieve the DS record from
> Bind.
I am not sure what you are asking. Do you mean how to convert the DS
from the DNSKEY record so you can submit it to the registrar?
> - How does Bind handle duplicate keyids when generating new keys?
> Will Bind ensure that there will not be any duplicate key ideas or
> will it just use the duplicate keys? In the latter case the " rndc
> dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an
> user perspective duplicate keyids should be avoided)
BIND will check for key id collision. When a conflict (for the same
algorithm) is detected a new key will be generated.
Best regards,
Matthijs
>
> Thanks Klaus
>
More information about the bind-users
mailing list