RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-25 Thread Tony Finch
Spain, Dr. Jeffry A. spa...@countryday.net wrote: My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone zone/IN: Key zone/algorithm/key tag missing or inactive and has no replacement: retaining signatures. In this

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-25 Thread Spain, Dr. Jeffry A.
My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone zone/IN: Key zone/algorithm/key tag missing or inactive and has no replacement: retaining signatures. In this circumstance none of the RRSIGs or NSECs are

Re: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Alexander Gurvitz
Hello. I don't think that bind trying to sign with non-existent key will do any harm - probably just warning. But it's simpler - change metadata of the key - set deletion time to the time you want the key to be deleted (like DS deletion time+TTL). Bind with auto-dnnsec allow re-reads the metadata

Re: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Mark Elkins
On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote: I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I don't think that bind trying to sign with non-existent key will do any harm - probably just warning. But it's simpler - change metadata of the key - set deletion time to the time you want the key to be deleted (like DS deletion time+TTL). Bind with auto-dnnsec allow re-reads the metadata

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I discovered that if there was not at least one KSK and ZSK of the same algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of one year and ZSK of one month, effectively to roll a key algorithm and without forcing the roll-over by removing all the old key/algorithm at

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I propose the following addition to the Bv9ARM, and request review and comment by the experts on this list. -- 4.9.14 DNSKEY Algorithm Rollover From time to time new digital signature algorithms with improved security are introduced, and it may be desirable for administrators to roll

Seeking Advice on DNSSEC Algorithm Rollover

2012-06-23 Thread Spain, Dr. Jeffry A.
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the following procedure might accomplish an algorithm rollover