Just give it time. Named will choose the appropriate DNSKEY when it comes time
to re-sign the RRset.
--
Mark Andrews
> On 3 Sep 2021, at 03:26, Timothy A. Holtzen wrote:
>
> Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs
> were created and then the zone was signed
Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs
were created and then the zone was signed (either automatically or via a
command) there was probably only a valid alg 8 ZSK available. As a
result bind used the alg 14 KSK as a defacto CSK and singed the zone
RRSets directly.
On Thu, Sep 02, 2021 at 11:15:32AM +1000, Mark Andrews wrote:
> The primary reason that it is per algorithm is that validators and
> signers are not required to support the same sets of algorithms and
> if you want validation to work for everyone the zone has to be fully
> signed for each
The primary reason that it is per algorithm is that validators and
signers are not required to support the same sets of algorithms and
if you want validation to work for everyone the zone has to be fully
signed for each algorithm that you state that it is signed for, i.e.
published in the DS RRset
On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch wrote:
> raf via bind-users wrote:
> > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
> > wrote:
> >
> > > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > > same algorithm, then both will be used to sign the
raf via bind-users wrote:
> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
> wrote:
>
> > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > same algorithm, then both will be used to sign the entire zone.
>
> Just out of curiosity, why is that?
> Isn't having the
On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews wrote:
> The rules for what get signed by what are per algorithm. Additionally the
> SEP bit is hint to the signer as to what is desired. Named has controls to
> say whether to pay attention to the SEP bit or not. Additionally it will
>
Named will continually re-sign parts of the zone as the RRSIGs for a RRset fall
due
for replacement. Named looks at which keys are in the active state to
determine along
with the afore mentioned controls to work out which DNSKEYs will be used to
re-sign the
RRset. If in the past you only had
I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I
have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and
two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA
ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records
correctly. It just
The rules for what get signed by what are per algorithm. Additionally the
SEP bit is hint to the signer as to what is desired. Named has controls to
say whether to pay attention to the SEP bit or not. Additionally it will
override those controls to pay attention to the SEP but if it believes
I honestly don’t remember the reasoning, only the outcome. Maybe Mark or
someone else from ISC can shed some light? I couldn’t find the answer to this
regular (but infrequent) question in the ISC KB.
Regards,
Chris Buxton
> On Aug 30, 2021, at 3:40 PM, raf via bind-users
> wrote:
>
> On
On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
wrote:
> What algorithm(s) are you using for ZSK and KSK? If they’re not the
> same algorithm, then both will be used to sign the entire zone.
>
> Regards,
> Chris Buxton
Just out of curiosity, why is that?
Isn't having the KSK sign the
What algorithm(s) are you using for ZSK and KSK? If they’re not the same
algorithm, then both will be used to sign the entire zone.
Regards,
Chris Buxton
> On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users
> wrote:
>
> Signed PGP part
> I've had an issue with my key rotation
I've had an issue with my key rotation process on a couple of zones. I
believe I've resolved that issue but it appears to me in several cases
the KSKs rather than being used to sign the ZSK are being used to sign
the zone records directly.
14 matches
Mail list logo
