Hi, I've been running a Bind set up with DNSSEC for many years. It was done following the guide at the digitalocean site.
What I don't find in a nice guide, is how to change your algorithm to a more current one, and seamlessly make your domain run under this new chain of data. I tried it on my own estimates of what would be required, and it seemed to be poisoned by dropping mention of the prior keys files in my DNS while the Internet's cached info on our DS is still out there. Whatever has happened, I've got a running domain again, but there is an angry diagram being drawn at https://dnsviz.net/ when my domain (which will remain nameless) is analyzed. With DNS it is always hard to tell what is going on NOW due to caching, and breakage works this way as well. Is there a guide on transitioning the DNSSEC signing algorithm, or is ISC support the best way to handle this and avoid the risk of total DNS calamity?
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
