Spain, Dr. Jeffry A. spa...@countryday.net wrote:
My experience with changing the timing metadata or removing the key
files is that named issues a warning like the following: zone zone/IN:
Key zone/algorithm/key tag missing or inactive and has no
replacement: retaining signatures. In this
My experience with changing the timing metadata or removing the key
files is that named issues a warning like the following: zone zone/IN:
Key zone/algorithm/key tag missing or inactive and has no
replacement: retaining signatures. In this circumstance none of the
RRSIGs or NSECs are
Hello.
I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata
On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote:
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8.
The Bv9ARM doesn't discuss this procedure explicitly as far as I can
tell, but section 4.9 presents some clues. I'd like to ask the experts
on this list if the
I don't think that bind trying to sign with non-existent key will do any harm
- probably just warning.
But it's simpler - change metadata of the key - set deletion time to the time
you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata
I discovered that if there was not at least one KSK and ZSK of the same
algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life
of one year and ZSK of one month, effectively to roll a key algorithm and
without forcing the roll-over by removing all the old key/algorithm at
I propose the following addition to the Bv9ARM, and request review and comment
by the experts on this list.
--
4.9.14 DNSKEY Algorithm Rollover
From time to time new digital signature algorithms with improved security are
introduced, and it may be desirable for administrators to roll
7 matches
Mail list logo
