Well the tester doesn’t support algorithm 13. The red x’s should be cautions as they aren’t failures (no working ds/dnskey pairs for supported algorithms in use), but rather the zone should be treated as insecure by the tester.
Mark > On 16 Apr 2020, at 09:28, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: > > And yet, after updating Gemtrade.fi to dnssec-policy, ZSK and KSK both “13”, > and updating the DS record at the .fi root, I still get: > > (algorithm 13 not supportedsignature verification failed) > > In Verisign DNSSEC verifier. > > > Lähettäjä: bind-users <bind-users-boun...@lists.isc.org> Puolesta Jukka > Pakkanen > Lähetetty: 16. huhtikuuta 2020 1:22 > Vastaanottaja: bind-us...@isc.org > Aihe: 9.16.2 / DNSSEC / DS records > > Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to > dnssec-policy, and have couple questions, probably quite trivial… > > We have signed zones with different key algorithms, now I want everything > under the same ecdsa256 policy. I guess when the key algorithm changes, > example from 8 to 13, we need to update the DS key at the registrar as well? > > About the DS keys, where can I find or retrieve them after the zone is > automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone > data? > > The Finnish Traficom .fi root service was able to retrieve the new DS records > it self, but for Hover need to insert them manually. > > Do I need to keep the old DS records at the registrar for some period of > time, of can I just swap the information there, without breaking anything? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
