On 3/3/20 5:26 PM, Tony Finch wrote: > If you are doing an algorithm rollover, you should have 2 keys (ZSK and > KSK) for each algorithm, 4 keys total. I only use dnssec-signzone if I'm > testing or doing something weird, so I'm not familiar with it. (In > production I use automatic signing in `named` because it is easier.) But > you might be able to follow my howto inserting a dnssec-signzone before > rndc reload and you might get something that will approximately work...
I'm letting named do the automatic signing/generation of RRSIG records, but unless I'm missing something, you still have to generate the DNSKEY records manually. dnssec-verify is the tool in question complaining about not including RSASHA1 keys and signatures. I'm still in the initial phases of setting this up, so I don't have to worry about algorithm rollover so much, as except for a couple of test domains, there's no DS record to cause them to get used. I did build scripts for doing the zsk and ksk rollovers though. In short, I'm setting things up so there's only two keys: ksk and zsk using RSASHA256, which I think is the way things should be these days.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
