RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
I propose the following addition to the Bv9ARM, and request review and comment by the experts on this list. -- 4.9.14 DNSKEY Algorithm Rollover >From time to time new digital signature algorithms with improved security are >introduced, and it may be desirable for administrators to roll

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
ctive. I processed the keys for algorithm 5 (the one to be removed) as follows using dnssec-settime: 1) For keys with a deletion date in the past, do nothing. 2) For keys currently published but deactivated, set the deletion date to earlier today (20120624). 3) For keys currently published and a

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
> I discovered that if there was not at least one KSK and ZSK of the same > algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of > one year and ZSK of one month, effectively to roll a key algorithm and > without forcing the roll-over by removing all the old key/algorithm

RE: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Spain, Dr. Jeffry A.
> I don't think that bind trying to sign with non-existent key will do any harm > - probably just warning. > But it's simpler - change metadata of the key - set deletion time to the time > you want the key to be deleted (like DS deletion time+TTL). > Bind with auto-dnnsec allow re-reads the metad

Re: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-24 Thread Mark Elkins
On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote: > I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. > The Bv9ARM doesn't discuss this procedure explicitly as far as I can > tell, but section 4.9 presents some clues. I'd like to ask the experts > on this list if th

Re: Understanding cause of DNS format error (FORMERR)

2012-06-24 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote: > It might even be a new Windows 2012 DNS server, and it might be an > issue with this new version. This is just speculation, but if it is > an issue with Windows 2012 DNS, it might be g

Re: Understanding cause of DNS format error (FORMERR)

2012-06-24 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Jeffry, On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote: > From what I observed I would conclude that dns11.one.microsoft.com > is a Windows DNS server since it behaves like mine except for the > AA flag not being set in theirs. It might even be

Re: Understanding cause of DNS format error (FORMERR)

2012-06-24 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/24/12 5:57 AM, Gabriele Paggi wrote: > Hello Carsten, > > Thanks for your reply! >> about the FORMERR. This might be caused by a Firewall or other >> middlebox that truncates the large answer containing the NS >> record set for