> On 6 May 2022, at 04:53, frank picabia <fpica...@gmail.com> wrote:
>
>
>
> On Thu, May 5, 2022 at 3:48 PM Tony Finch <f...@isc.org> wrote:
> frank picabia <fpica...@gmail.com> wrote:
> > On Thu, May 5, 2022 at 1:46 PM <nico...@ncartron.org> wrote:
> > >
> > > Tony wrote a nice article about that:
> > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
> >
> > Thanks for that. My problem is these notes have little in common with how
> > the digital ocean guide
> > ran it (
> > https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> > ),
>
> That guide is sadly very out of date. You really don't want to use SHA1
> (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
> and for at least 10 years it has been much easier to use `named`s
> automatic signing than to use dnssec-signzone.
>
> I think if you are still using `dnssec-signzone`, I would recommend
> switching over to automatic signing with your existing keys, before doing
> an algorithm rollover. And set up a test zone so that you can run through
> the process a few times, so that you can learn from your mistakes before
> doing it in production.
>
> > and I don't think our domain registrar supports CDS records.
>
> You can ignore the CDS stuff - my registrar didn't support it either, but
> I have tools that can use my CDS records to work out the correct thing to
> tell my registrar to do.
>
> > I don't understand how people can run little rndc commands as if this
> > sticks without putting an include for the keys in the zone file.
>
> `named` automatically adds the keys to the zone according to the timing
> information in the key files. (At least, that's the way I did it before
> dnssec-policy made things even more automatic.)
It still does. dnssec-policy just automates steps that where done manually
previously.
> Agreed that the digital ocean guide is out of date. That's why I'm redoing
> the steps with
> algorithm 8. In our case, we have a DNS service to protect from DDOS
> and we need to transfer the whole zone to them periodically or from updates.
> I don't think the Bind built-in signing would work for this situation.
Of course it does. You can extract the signed zone the same way as secondaries
transfer it. Whatever you where doing for DDOS protection can still be done
with named signing the zone. The key files are still there. The zone content
is
still there.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
