Spain, Dr. Jeffry A. spa...@countryday.net wrote:
My experience with changing the timing metadata or removing the key
files is that named issues a warning like the following: zone zone/IN:
Key zone/algorithm/key tag missing or inactive and has no
replacement: retaining signatures. In this
My experience with changing the timing metadata or removing the key
files is that named issues a warning like the following: zone zone/IN:
Key zone/algorithm/key tag missing or inactive and has no
replacement: retaining signatures. In this circumstance none of the
RRSIGs or NSECs are
Hello.
I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata
On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote:
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8.
The Bv9ARM doesn't discuss this procedure explicitly as far as I can
tell, but section 4.9 presents some clues. I'd like to ask the experts
on this list if the
I don't think that bind trying to sign with non-existent key will do any harm
- probably just warning.
But it's simpler - change metadata of the key - set deletion time to the time
you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata
I discovered that if there was not at least one KSK and ZSK of the same
algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life
of one year and ZSK of one month, effectively to roll a key algorithm and
without forcing the roll-over by removing all the old key/algorithm at
I propose the following addition to the Bv9ARM, and request review and comment
by the experts on this list.
--
4.9.14 DNSKEY Algorithm Rollover
From time to time new digital signature algorithms with improved security are
introduced, and it may be desirable for administrators to roll
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The
Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but
section 4.9 presents some clues. I'd like to ask the experts on this list if
the following procedure might accomplish an algorithm rollover
8 matches
Mail list logo