On 30 Apr 2021, at 12:15, Tony Finch <d...@dotat.at> wrote: > > dig +ttlunits example.com ds @$(dig +short com ns | head -1)
I update the last of my zones over a month ago and they are still showing alg-7. The longest TTL int e zone files is 2w, but we're 29 days in. Te signed file has RRSIG SOA 7 2 86400 ( 20210509074649 20210425064649 45309 example.com. Oj+ObzW/dle9fJHffNqNCVd9udd8AQwxRXcq/BF5+fUu wyS5Gb0htl2hrwyAXK24sA4aZ4RUiwNoKwJTeOGZPWeC O2Eb2PkjsNUmd9UaIWKYrFroI8FZsqh4g8lM/YEdnpAq GeekIXFT4s6xE8lRC3Rcx88b8YBRNnSxiy/8xqI= ) RRSIG SOA 13 2 86400 ( 20210509074649 20210425064649 11217 example.com. yzrM5cWL6UYhzJ4cS+hMcZShBqwFZZR6LVRYntehHzVN vBSzUBNNf6u6BdQSAyQFbjD5R9g5HEKtei1yIADx8g== ) I'm sure I missed a step on these specific domains, but there are only a handful that are still using alg-7 and many more that are now on alg-13 only. The +ttlunits from above show 1d for the answer sections and 2d in the authority (com.) section. If I do a dig ds on the domain (at 8.8.8.8 or others, in addition to my own bind server), I only get the alg-13 key, but +dnssec shows both RRSIGs Ideas? -- 'Somewhere, A Crime Is Happening,' said Dorfl. --Feet of Clay _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users