On Thu, May 5, 2022 at 1:46 PM <nico...@ncartron.org> wrote: > Hi, > > On 5/5/22 6:37 PM, frank picabia <fpica...@gmail.com> wrote: > > > > Hi, > > > > I've been running a Bind set up with DNSSEC for many years. > > It was done following the guide at the digitalocean site. > > > > What I don't find in a nice guide, is how to change your algorithm > > to a more current one, and seamlessly make your domain > > run under this new chain of data. > > > > I tried it on my own estimates of what would be required, and > > it seemed to be poisoned by dropping mention of the prior > > keys files in my DNS while the Internet's cached info > > on our DS is still out there. Whatever has happened, > > I've got a running domain again, but there is an angry diagram > > being drawn at https://dnsviz.net/ <https://dnsviz.net/> when my domain > > (which > > will remain nameless) is analyzed. > > > > With DNS it is always hard to tell what is going on NOW due > > to caching, and breakage works this way as well. > > > > Is there a guide on transitioning the DNSSEC signing algorithm, > > or is ISC support the best way to handle this > > and avoid the risk of total DNS calamity? > > Tony wrote a nice article about that: > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html > > Cheers, > > -- > Nico > > Thanks for that. My problem is these notes have little in common with how the digital ocean guide ran it ( https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 ), and I don't think our domain registrar supports CDS records.
I don't understand how people can run little rndc commands as if this sticks without putting an include for the keys in the zone file. In our setting, we re-sign the zone from our host management automation. There's not enough parallel in the world of that Math department's server and what we have in our host management in production. Normally I'd be flexible to play around with something like this if it were apache or something, but I just experienced a domain outage that makes me prefer something I can really believe in.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
