On 10/15/2011 08:32 PM, Mark Elkins wrote:
So what you are saying in practical terms is in order to migrate from RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which cycle once a year) and then at exactly the same time start using RSASHA256 on the KSK's (which cycle every month) - making any existing
Why are you rotating your KSK monthly, but your ZSK yearly? That's the wrong way round, surely?
(ZSK signs a lot more data, so a determined attacker has much more known-plaintext with which to brute-force your ZSK; KSK only signs the ZSK, so can be left in-place for longer)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
