On 10/15/2011 08:32 PM, Mark Elkins wrote:
So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every
On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
On 10/15/2011 08:32 PM, Mark Elkins wrote:
So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same
Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone
I've created a short script to demonstrate the issue.
I've Attached RunTest that simulates what I am doing.
It uses
On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins m...@posix.co.za wrote:
Basically - create a KSK and ZSK with RSASHA1 - Sign - and
visibly check
the results.
Add a new KSK using RSASHA256 - prep the zone and
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins m...@posix.co.za wrote:
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
In message 1318673495.8491.89.ca...@mjelap.posix.co.za, Mark Elkins writes:
Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone
I've created a short script to
7 matches
Mail list logo