Thank you! I have now corrected our ancient internal wiki so we now have
learned how it goes
Very much appreciate your patience and help, now I can start my weekend :->
On Sat, May 1, 2021 at 10:31 PM Tony Finch wrote:
> Edwardo Garcia wrote:
> >
> > So you mean to say when it print out
> >
Edwardo Garcia wrote:
>
> So you mean to say when it print out
>
> IN DS 45701 13 1 5422E9...
> IN DS 45701 13 2 qwertyE9...
>
> we never needed 45701 13 1 5422E9 only 45701 13 2 qwertyE9 ?
Exactly, yes!
> and we only need run
>
> dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f -
OKi, I assume that was same as
dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -f - guiltyparty.net
Which is in our internals wiki for all these years (predate my employment
2012 )
So you mean to say when it print out
IN DS 45701 13 1 5422E9...
IN DS 45701 13 2 qwertyE9...
we never
Edwardo Garcia wrote:
> One thing I note, all check say everything is good, but when using dnsviz,
> it says secure, shows the ecd... but also puts up warnings that I am using
> alg 13 but digest 1 (sha1), which is not allowed,
I guess the "digest 1" is referring to your DS records. In my
One thing I note, all check say everything is good, but when using dnsviz,
it says secure, shows the ecd... but also puts up warnings that I am using
alg 13 but digest 1 (sha1), which is not allowed, I never use the setting
when create keys as the guide says not needed, if this a problem with
@lbutlr wrote:
>
> I update the last of my zones over a month ago and they are still
> showing alg-7.
>
> I'm sure I missed a step on these specific domains, but there are only a
> handful that are still using alg-7 and many more that are now on alg-13
> only.
Hmm, curious!
If you have swapped
On 30 Apr 2021, at 12:15, Tony Finch wrote:
>
> dig +ttlunits example.com ds @$(dig +short com ns | head -1)
I update the last of my zones over a month ago and they are still showing
alg-7. The longest TTL int e zone files is 2w, but we're 29 days in.
Te signed file has
Edwardo Garcia wrote:
>
> One question however it talk about longest TTL, does this mean also root
> TLD zones (.com, .net) which from memory are 48 hours, so before we delete
> old keys we need wait 48 hours, even though our zone TTL was 24 ?
When you are waiting after adding and signing with
Waiting twice the TTL is the safe option. Start counting from when you
see the new DS record in the parent. To be even more pedantic, start
counting after all authoritative Nameservers have the new DS record...
Quite easy to do from a script.
And the recommendation to move to ecdsa-p256-sha256
Halo Tony,
Thank you, wow ecdsa-p256-sha256 produce keys 1/10th the size of rsa,
strange how this better but we have made change as
from your howto, thank you, now 24 hour and all seems ok from what we tell,
and the test site says all good.
One question however it talk about longest TTL, does
Edwardo Garcia wrote:
>
> Many year ago we set up DNSSEC, our key were generated with sha1 as was
> recommended way back all them years. We too are not DNSSEC guru, so some
> answer may be simple
Well, you are going to do an algorithm rollover, which is one of the more
tricky things you can do
11 matches
Mail list logo