Re: Reminder: BIND 9.11 is going EOL in March 2022
> On Apr 5, 2022, at 12:37 PM, John Thurston wrote: > > We've reached April, 2022. I expect, in the next 30-days or so, we'll be > seeing an announcement regarding the change of contents of bind-esv, bind, > and bind-dev > > Is it reasonable to expect these changes will occur in about the middle of > the month? Yes - good question. We will replace the contents of the repos when we post the next version. We usually post the BIND releases on the third Wednesday of the month, so the changeover should happen on April 20th. Regards, Vicky Risk -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reminder: BIND 9.11 is going EOL in March 2022
On 1/26/2022 9:09 AM, Victoria Risk wrote: For those using the ISC BIND packages: Because we are still patching 9.11, and we haven’t yet issued a new development branch, we are putting 9.18.0 into the bind-dev repositories, for now. In April, we plan to do a version rollover: - bind-esv will go from 9.11 to 9.16 - bind will go from 9.16 to 9.18 - bind-dev will go from 9.18.1 to 9.19.0 BIND 9.19.0 will be the new development branch. We've reached April, 2022. I expect, in the next 30-days or so, we'll be seeing an announcement regarding the change of contents of bind-esv, bind, and bind-dev Is it reasonable to expect these changes will occur in about the middle of the month? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Changing the DNSSEC algorithm
Hello, I implemented DNSSEC for my personal domain a good while ago with an older Bind and back then, I used RSASHA1-NSEC3-SHA1 algorithm, which by now is not recommended... So I'm going to change the algorithm, probably to ECDSAP256SHA256, which should also be NSEC3 capable. Since my domain is small and rarely changes, I'm not using any fancy updating features - I manage it manually, by editing the non-signed version of the zone file and then signing it to create a signed version. Here I'd like to verify that I understand the steps required to change DNSEC key / algorithm without disruption: 1. create new keys for my zone * dnssec-keygen -a ECDSAP256SHA256 -n ZONE mydomain * dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE mydomain 2. include new keys in my zone while keeping old keys too: $INCLUDE Kmydomain.+008+14884.key <- old key $INCLUDE Kmydomain.+008+27618.key <- old key $INCLUDE Kmydomain.+013+10503.key <- new key $INCLUDE Kmydomain.+013+39532.key <- new key 3. sign the zone file /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -e +3024000 -o mydomain -t mydomain.hosts 4. ask the registrar to add new DS record to TLD (I have to do this by mail, there is no 'self-service' UI) 5. wait at least one TTL (making sure to use the longest TTL in my zone) 6. ask the registrar to remove old DS record(s) (I don't quite remember why, but I had two) 7. wait another TTL period 8. remove old keys from zone 9. re-sign the zone Will that be OK? Best regards, Danilo -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
