On 15/10/2011 20:32, Mark Elkins wrote: > So what you are saying in practical terms is in order to migrate from > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which > cycle once a year) and then at exactly the same time start using > RSASHA256 on the KSK's (which cycle every month) - making any existing > ZSK using RSASHA1 (or their DS's in the parent) redundant after about a > further month.
You don't have to wait. There's nothing to stop you doing an early key
rollover for your ZSK, and switching algorithms. Where you can either
revoke the old ZSK or change its expiry date -- once you've got the DS
records in the parent updated, of course.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
