Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Jim Popovitch
On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger wrote: > > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/ > > After the DS TTL expired I removed the old DS, so the zone now looks > like this: > > http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/ > TBH, the prior one looks

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Sebastian Wiesinger
* Tony Finch [2016-10-10 12:36]: > I thought the algorithm rollover process is required to be: introduce new > ZSK and KSK and sign the zone; wait for old records to expire; flip the DS > from old to new; wait for old DS to expire; delete old ZSK and KSK and > RRSIGs. A double-DS

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Tony Finch
Mark Andrews wrote: > Sebastian Wiesinger wrote: > > > > Thank you for explaining this for me. I was reading RFC6781, which I > > now realize is probably outdated in this regard so I was a bit > > confused. RFC 7583 (DNSSEC Key Rollover Timing) is also

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-07 Thread Mark Andrews
In message <20161007164742.ga18...@danton.fire-world.de>, Sebastian Wiesinger writes: > * Mark Andrews [2016-10-06 23:33]: > > > is there a guide for an algorithm rollover with BIND9 for an > > > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to > > > find a

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-07 Thread Sebastian Wiesinger
* Mark Andrews [2016-10-06 23:33]: > > is there a guide for an algorithm rollover with BIND9 for an > > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to > > find a good guide for it. I already looked at the ISC DNSSEC Guide but > > it doesn't seem to cover

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-06 Thread Mark Andrews
In message <20161006205713.ga1...@danton.fire-world.de>, Sebastian Wiesinger wr ites: > Hello, > > is there a guide for an algorithm rollover with BIND9 for an > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to > find a good guide for it. I already looked at the ISC DNSSEC

BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-06 Thread Sebastian Wiesinger
Hello, is there a guide for an algorithm rollover with BIND9 for an inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to find a good guide for it. I already looked at the ISC DNSSEC Guide but it doesn't seem to cover that the RRSIGs made by the new keys need to be published