On 11:23 14/09, frank picabia wrote: > Hi, > > I'm at the point in DNSSEC algorithm migration > where I have two types of keys involved in signing. > Both algorithm 7 and 8 are in use. > > The top level domain registrar also has DS keys set up for both 7 and 8. > > I need to coordinate pulling out algorithm 7 with the domain registrar so > our domain will be running against only algo 8. > > Should the TLD registrar remove 7 first, or should I remove signing of zone > with the algo 7 keys before they make their change? > > I noticed that when I tried removing signing with the algo 7 keys, and > checked > the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/ > > I saw errors at the analyzer like this: > > The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no > RRSIG with algorithm 7 covering the RRset was returned in the response. > > I'm not sure if that would be a crippling error to DNS functionality > if I didn't reverse removal of algo 7 signing, which I've done after seeing > this. > > Can I do removal of algo 7 at one side prior to the > other (Bind signing vs TLD Registrar side), > or do we have to try to coordinate this with the TLD > registrar as closely as possible?
If you already have the two DS at your parent, the next step is removing the old DS, then wait, then remove the old KSK (but still have the old ZSK and old signatures), then wait, then remove everything from the old algorithm. For adding a new DS is the other way around. You first add the new ZSK + signatures, then the KSK, then the DS at your parent. Here's an step by step method, in spanish, but hopefully the diagrams are self explanatory: https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec Hugo
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
