On Sat, 2012-06-23 at 22:34 +0000, Spain, Dr. Jeffry A. wrote: > I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. > The Bv9ARM doesn't discuss this procedure explicitly as far as I can > tell, but section 4.9 presents some clues. I'd like to ask the experts > on this list if the following procedure might accomplish an algorithm > rollover cleanly.
Before in-line signing existed, I rolled my keys from algorithm 5 to 8. I was thus using dnssec-signzone to perform the signing. I had also generated my own keys, both KSK and ZSK. ZSK's and KSK's up until then were running their own life-cycles independently from each other. I thought this 'independence' was good as DNSSEC events would happen spread around the year. I discovered that if there was not at least one KSK and ZSK of the same algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of one year and ZSK of one month, effectively to roll a key algorithm and without forcing the roll-over by removing all the old key/algorithm at the same time, you have to wait for a KSK to 'expire' then add a new algorithm key pair together. As soon as the last old algorithm KSK expires, there must no longer be any old algorithm ZSK's left, but old algorithm ZSK's must be around until this event. That is - at the time of roll-over - you have a KSK/ZSK pair using the old algorithm and a pair using the new algorithm, obviously with appropriate DS's in the Parent. (That should make sense) So, if you only have a very few signed zones, its possibly easier to resign them from scratch, or force a roll-over. (Avoid the pain!) If you re-do everything at the same time - then DNS signing events may no longer be scattered around the year - maybe not a good thing. I'd expect in-line signing to be of a similar nature unless algorithm 7 and 8 keys can as such 'speak for each other'. My advice, test mixing old and new algorithm keys by signing with dnssec-signzone and presume the same rules exist for in-line signing too. I'd look for a solution that 'upgrades' a zone to using a new Key algorithm at the scheduled time of a KSK roll-over. I'm sure you'll post the results here! -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
