<div dir="ltr"><div>One thing I note, all check say everything is good, but when using dnsviz, it says secure, shows the ecd... but also puts up warnings that I am using alg 13 but digest 1 (sha1), which is not allowed, I never use the setting when create keys as the guide says not needed, if this a problem with them or maybe the .com and .net zones having longer TTL than ours (4 hours), confused, but I am happy enough since verisignlabs says all green ticks<br></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 1, 2021 at 4:15 AM Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Edwardo Garcia <<a href="mailto:wdgarc88@gmail.com" target="_blank">wdgarc88@gmail.com</a>> wrote:<br>
><br>
> One question however it talk about longest TTL, does this mean also root<br>
> TLD zones (.com, .net) which from memory are 48 hours, so before we delete<br>
> old keys we need wait 48 hours, even though our zone TTL was 24 ?<br>
<br>
When you are waiting after adding and signing with the new keys and before<br>
swapping the DS records, it's only the longest TTL in your own zone that<br>
matters. In my notes I call this the "child TTL" because the root and TLD<br>
etc. don't matter.<br>
<br>
<a href="https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html" rel="noreferrer" target="_blank">https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html</a><br>
<br>
When you're waiting for the DS TTL it's only the TTL of that particular<br>
record that matters. (It's in the parent zone so I called it the parent<br>
TTL.) To be sure you are getting the right number you will need something<br>
like:<br>
<br>
dig +ttlunits <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> ds @$(dig +short com ns | head -1)<br>
<br>
i.e. pick one of the nameservers of the parent zone and ask it for your<br>
zone's DS record, so you don't get mislead by decremented cached TTLs.<br>
Note the DS TTL is often not the same as the parent NS or glue TTL.<br>
<br>
> Thank you, wow much much easy than I hoped for :-)<br>
<br>
I'm happy it helped!<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="https://dotat.at/" rel="noreferrer" target="_blank">https://dotat.at/</a><br>
Biscay: North, backing northwest later, 2 to 4, occasionally 5 later<br>
in east. Slight. Showers. Good.<br>
<br>
</blockquote></div>