In message <1318673495.8491.89.ca...@mjelap.posix.co.za>, Mark Elkins writes:
>
> Saw the light of day and decided to change my DNSSEC signing script to
> create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
> mix these two in the same zone
>
> I've created a short script
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins wrote:
> True - no problem with a handful of zones.
>
> Now assume a few thousand being automated from some script.
>
> Wonder if OpenDNSSEC handles this at all?
>
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the mo
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 alg
On 15/10/2011 20:32, Mark Elkins wrote:
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every mo
On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
>
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and
> visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again
Even more fun on HP-UX is that in addition to the hosts line in nsswitch.conf
they allow for a separate line called ipnodes used by IPv6 routines whereas
hosts is only used by the older routines (gethostbyname etc...). It bit me
when using NetBackup 7 because Symantec started using the IPv6 ro
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused - can not sign (or generate a new Signed
> Zone)...
>V
Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone
I've created a short script to demonstrate the issue.
I've Attached "RunTest" that simulates what I am doing.
It uses
On 12/10/11 23:09, Kevin Darcy wrote:
> As far as I know, only HP-UX has hacked nslookup to look at /etc/hosts.
> And I don't think it even looks at the "switch" file or other naming
> sources (e.g. Yellow Plague). HP-UX's nslookup "enhancement" is a
> one-off, I believe.
For the record, on HP-UX i
9 matches
Mail list logo
