One thing I note, all check say everything is good, but when using dnsviz, it says secure, shows the ecd... but also puts up warnings that I am using alg 13 but digest 1 (sha1), which is not allowed, I never use the setting when create keys as the guide says not needed, if this a problem with them or maybe the .com and .net zones having longer TTL than ours (4 hours), confused, but I am happy enough since verisignlabs says all green ticks
On Sat, May 1, 2021 at 4:15 AM Tony Finch <d...@dotat.at> wrote: > Edwardo Garcia <wdgar...@gmail.com> wrote: > > > > One question however it talk about longest TTL, does this mean also root > > TLD zones (.com, .net) which from memory are 48 hours, so before we > delete > > old keys we need wait 48 hours, even though our zone TTL was 24 ? > > When you are waiting after adding and signing with the new keys and before > swapping the DS records, it's only the longest TTL in your own zone that > matters. In my notes I call this the "child TTL" because the root and TLD > etc. don't matter. > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html > > When you're waiting for the DS TTL it's only the TTL of that particular > record that matters. (It's in the parent zone so I called it the parent > TTL.) To be sure you are getting the right number you will need something > like: > > dig +ttlunits example.com ds @$(dig +short com ns | head -1) > > i.e. pick one of the nameservers of the parent zone and ask it for your > zone's DS record, so you don't get mislead by decremented cached TTLs. > Note the DS TTL is often not the same as the parent NS or glue TTL. > > > Thank you, wow much much easy than I hoped for :-) > > I'm happy it helped! > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > Biscay: North, backing northwest later, 2 to 4, occasionally 5 later > in east. Slight. Showers. Good. > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
