Hello,
I implemented DNSSEC for my personal domain a good while ago with an
older Bind and back then, I used RSASHA1-NSEC3-SHA1 algorithm, which by
now is not recommended... So I'm going to change the algorithm, probably
to ECDSAP256SHA256, which should also be NSEC3 capable.
Since my domain is small and rarely changes, I'm not using any fancy
updating features - I manage it manually, by editing the non-signed
version of the zone file and then signing it to create a signed version.
Here I'd like to verify that I understand the steps required to change
DNSEC key / algorithm without disruption:
1. create new keys for my zone
* dnssec-keygen -a ECDSAP256SHA256 -n ZONE mydomain
* dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE mydomain
2. include new keys in my zone while keeping old keys too:
$INCLUDE Kmydomain.+008+14884.key <- old key
$INCLUDE Kmydomain.+008+27618.key <- old key
$INCLUDE Kmydomain.+013+10503.key <- new key
$INCLUDE Kmydomain.+013+39532.key <- new key
3. sign the zone file
/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random |
sha1sum | cut -b 1-16) -e +3024000 -o mydomain -t mydomain.hosts
4. ask the registrar to add new DS record to TLD (I have to do this by
mail, there is no 'self-service' UI)
5. wait at least one TTL (making sure to use the longest TTL in my zone)
6. ask the registrar to remove old DS record(s) (I don't quite remember
why, but I had two)
7. wait another TTL period
8. remove old keys from zone
9. re-sign the zone
Will that be OK?
Best regards,
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
