On 30 Apr 2021, at 12:15, Tony Finch <d...@dotat.at> wrote:
>
> dig +ttlunits example.com ds @$(dig +short com ns | head -1)
I update the last of my zones over a month ago and they are still showing
alg-7. The longest TTL int e zone files is 2w, but we're 29 days in.
Te signed file has
RRSIG SOA 7 2 86400 (
20210509074649 20210425064649 45309 example.com.
Oj+ObzW/dle9fJHffNqNCVd9udd8AQwxRXcq/BF5+fUu
wyS5Gb0htl2hrwyAXK24sA4aZ4RUiwNoKwJTeOGZPWeC
O2Eb2PkjsNUmd9UaIWKYrFroI8FZsqh4g8lM/YEdnpAq
GeekIXFT4s6xE8lRC3Rcx88b8YBRNnSxiy/8xqI= )
RRSIG SOA 13 2 86400 (
20210509074649 20210425064649 11217 example.com.
yzrM5cWL6UYhzJ4cS+hMcZShBqwFZZR6LVRYntehHzVN
vBSzUBNNf6u6BdQSAyQFbjD5R9g5HEKtei1yIADx8g== )
I'm sure I missed a step on these specific domains, but there are only a
handful that are still using alg-7 and many more that are now on alg-13 only.
The +ttlunits from above show 1d for the answer sections and 2d in the
authority (com.) section.
If I do a dig ds on the domain (at 8.8.8.8 or others, in addition to my own
bind server), I only get the alg-13 key, but +dnssec shows both RRSIGs
Ideas?
--
'Somewhere, A Crime Is Happening,' said Dorfl. --Feet of Clay
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
