That's a good resource. Thanks, Hugo.
On Wed, Sep 14, 2022 at 1:40 PM Hugo Salgado <hsalg...@nic.cl> wrote: > On 11:23 14/09, frank picabia wrote: > > Hi, > > > > I'm at the point in DNSSEC algorithm migration > > where I have two types of keys involved in signing. > > Both algorithm 7 and 8 are in use. > > > > The top level domain registrar also has DS keys set up for both 7 and 8. > > > > I need to coordinate pulling out algorithm 7 with the domain registrar so > > our domain will be running against only algo 8. > > > > Should the TLD registrar remove 7 first, or should I remove signing of > zone > > with the algo 7 keys before they make their change? > > > > I noticed that when I tried removing signing with the algo 7 keys, and > > checked > > the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/ > > > > I saw errors at the analyzer like this: > > > > The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no > > RRSIG with algorithm 7 covering the RRset was returned in the response. > > > > I'm not sure if that would be a crippling error to DNS functionality > > if I didn't reverse removal of algo 7 signing, which I've done after > seeing > > this. > > > > Can I do removal of algo 7 at one side prior to the > > other (Bind signing vs TLD Registrar side), > > or do we have to try to coordinate this with the TLD > > registrar as closely as possible? > > If you already have the two DS at your parent, the next step is > removing the old DS, then wait, then remove the old KSK (but > still have the old ZSK and old signatures), then wait, then > remove everything from the old algorithm. > > For adding a new DS is the other way around. You first add the > new ZSK + signatures, then the KSK, then the DS at your parent. > > Here's an step by step method, in spanish, but hopefully the > diagrams are self explanatory: > > https://hugo.salga.do/post/615501933278642176/c%C3%B3mo-hacer-un-rollover-de-algoritmo-en-dnssec > > Hugo > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
