Hi,
Depends on what your DNSSEC configuration is. Are you using
dnssec-signzone/named? auto-dnssec maintain? inline-signing?
dnssec-policy? dnssec-keymgr?
Yes there are a lot of ways to maintain DNSSEC in BIND. The recommended
way forward is to use dnssec-policy. Migrating to it may still be a bit
tricky*, but once you use it, changing a new signing algorithm is pretty
simple:
1. Update your dnssec-policy, reload config.
2. Wait a little bit.
3. When the new DS is in the parent, run "rndc dnssec -checkds published
on the right key id."
4. Also run "rndc dnssec -checkds withdrawn" on the id of the key that
has its DS removed from the parent.
5. Have a celebratory drink.
Algorithm rollover with dnssec-policy will gracefully transition to the
keys with the new algorithms, so during the rollover period you should
see your zone being signed with two algorithms.
Best regards,
Matthijs
*In principal you can just switch to dnssec-policy with your existing
key files and BIND will initialize key state files for those keys. But
there is at least one known bug that deleted keys may be used again for
signing (those deleted keys still have their key files in the key
directory). [GL #2406]
On 01-02-2021 14:40, @lbutlr wrote:
I've been using alg-7 for DNS, but that is no longer recommended. How difficult
is it to change the signing algorithm and what is the process (Bind 9.16.11)?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
