On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews wrote:
> The rules for what get signed by what are per algorithm. Additionally the
> SEP bit is hint to the signer as to what is desired. Named has controls to
> say whether to pay attention to the SEP bit or not. Additionally it will
>
Named will continually re-sign parts of the zone as the RRSIGs for a RRset fall
due
for replacement. Named looks at which keys are in the active state to
determine along
with the afore mentioned controls to work out which DNSKEYs will be used to
re-sign the
RRset. If in the past you only had
I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I
have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and
two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA
ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records
correctly. It just
3 matches
Mail list logo
