> In want to use SHA-256 for signing so I changed kasp.xml: > > <!-- Parameters for KSK only --> > <KSK> > <Algorithm length="2048">8</Algorithm> > <Lifetime>P3D</Lifetime> > <Repository>softHSM</Repository> > <Standby>1</Standby> > </KSK> > > <!-- Parameters for ZSK only --> > <ZSK> > <Algorithm length="1024">8</Algorithm> > <Lifetime>P1D</Lifetime> > <Repository>softHSM</Repository> > <Standby>1</Standby> > > and I ran a "ksmutil update all". No error message but, at the next > resigning, everything is still done with algorithm 7. What did I > forget? Should I simply wait for the next key rollover?
The keys that are already generated will still have the old algorithm, as will any StandbyKeys that you have published. Only new keys will be algorithm 8 and so until these new keys are being used then you will be using algorithm 7. So yes, waiting for rollovers should fix the issue, or you can force them through as soon as the system thinks that the new keys are ready for use. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
