DNSSEC upgrade
Edwardo Garcia
wdgarc88 at gmail.com
Sat May 1 05:52:17 UTC 2021
One thing I note, all check say everything is good, but when using dnsviz,
it says secure, shows the ecd... but also puts up warnings that I am using
alg 13 but digest 1 (sha1), which is not allowed, I never use the setting
when create keys as the guide says not needed, if this a problem with them
or maybe the .com and .net zones having longer TTL than ours (4 hours),
confused, but I am happy enough since verisignlabs says all green ticks
On Sat, May 1, 2021 at 4:15 AM Tony Finch <dot at dotat.at> wrote:
> Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >
> > One question however it talk about longest TTL, does this mean also root
> > TLD zones (.com, .net) which from memory are 48 hours, so before we
> delete
> > old keys we need wait 48 hours, even though our zone TTL was 24 ?
>
> When you are waiting after adding and signing with the new keys and before
> swapping the DS records, it's only the longest TTL in your own zone that
> matters. In my notes I call this the "child TTL" because the root and TLD
> etc. don't matter.
>
> https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> When you're waiting for the DS TTL it's only the TTL of that particular
> record that matters. (It's in the parent zone so I called it the parent
> TTL.) To be sure you are getting the right number you will need something
> like:
>
> dig +ttlunits example.com ds @$(dig +short com ns | head -1)
>
> i.e. pick one of the nameservers of the parent zone and ask it for your
> zone's DS record, so you don't get mislead by decremented cached TTLs.
> Note the DS TTL is often not the same as the parent NS or glue TTL.
>
> > Thank you, wow much much easy than I hoped for :-)
>
> I'm happy it helped!
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> https://dotat.at/
> Biscay: North, backing northwest later, 2 to 4, occasionally 5 later
> in east. Slight. Showers. Good.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210501/dc4f4e64/attachment.htm>
More information about the bind-users
mailing list