On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger
wrote:
>
> http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/
>
> After the DS TTL expired I removed the old DS, so the zone now looks
> like this:
>
> http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/
>
TBH, the prior one looks
* Tony Finch [2016-10-10 12:36]:
> I thought the algorithm rollover process is required to be: introduce new
> ZSK and KSK and sign the zone; wait for old records to expire; flip the DS
> from old to new; wait for old DS to expire; delete old ZSK and KSK and
> RRSIGs. A double-DS
Mark Andrews wrote:
> Sebastian Wiesinger wrote:
> >
> > Thank you for explaining this for me. I was reading RFC6781, which I
> > now realize is probably outdated in this regard so I was a bit
> > confused.
RFC 7583 (DNSSEC Key Rollover Timing) is also
In message <20161007164742.ga18...@danton.fire-world.de>, Sebastian Wiesinger
writes:
> * Mark Andrews [2016-10-06 23:33]:
> > > is there a guide for an algorithm rollover with BIND9 for an
> > > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > > find a
* Mark Andrews [2016-10-06 23:33]:
> > is there a guide for an algorithm rollover with BIND9 for an
> > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > find a good guide for it. I already looked at the ISC DNSSEC Guide but
> > it doesn't seem to cover
In message <20161006205713.ga1...@danton.fire-world.de>, Sebastian Wiesinger wr
ites:
> Hello,
>
> is there a guide for an algorithm rollover with BIND9 for an
> inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> find a good guide for it. I already looked at the ISC DNSSEC
Hello,
is there a guide for an algorithm rollover with BIND9 for an
inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
find a good guide for it. I already looked at the ISC DNSSEC Guide but
it doesn't seem to cover that the RRSIGs made by the new keys need to
be published
7 matches
Mail list logo