Hello, I tried an algorithm rollover (RSASHA1-NSEC3-SHA1 to RSASHA256) by simply changing the policy. It seemed to worked correctly in so far that the signer config file got updated correctly, and an appropriate DNSKEY appeared at the zone. However, the auditor complained vigorously that (for all RRs):
ods-auditor[5146]: RRSIGS should include algorithm RSASHA256 for time.restena.lu, A, have : RSASHA1-NSEC3-SHA1 which makes sense as the RSASHA256-key was not 'active' yet. So I rolled the ZSK, after which the auditor said: ods-auditor[5367]: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for time.restena.lu, A, have : RSASHA256 which seems to make less sense, as the RSASHA1-NSEC3-SHA1 has deen retired. Is that expected, and what is the correct approach: disable the auditor during this kind of operation? or wait more patiently and everything will settle? BTW: the auditor hang consistently after each of these runs and had to be killed maually. (ods 1.0.0) Best, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
