On 05. 05. 22 18:37, frank picabia wrote:
Hi,
I've been running a Bind set up with DNSSEC for many years.
It was done following the guide at the digitalocean site.
What I don't find in a nice guide, is how to change your algorithm
to a more current one, and seamlessly make your domain
run under this new chain of data.
I tried it on my own estimates of what would be required, and
it seemed to be poisoned by dropping mention of the prior
keys files in my DNS while the Internet's cached info
on our DS is still out there. Whatever has happened,
I've got a running domain again, but there is an angry diagram
being drawn at https://dnsviz.net/ <https://dnsviz.net/> when my domain
(which
will remain nameless) is analyzed.
With DNS it is always hard to tell what is going on NOW due
to caching, and breakage works this way as well.
Is there a guide on transitioning the DNSSEC signing algorithm,
or is ISC support the best way to handle this
and avoid the risk of total DNS calamity?
We could provide specific answers if we knew enough. For "nameless
domains" the only answer I can reasonably provide is:
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
