The rules for what get signed by what are per algorithm. Additionally the
SEP bit is hint to the signer as to what is desired. Named has controls to
say whether to pay attention to the SEP bit or not. Additionally it will
override those controls to pay attention to the SEP but if it believes tha
I honestly don’t remember the reasoning, only the outcome. Maybe Mark or
someone else from ISC can shed some light? I couldn’t find the answer to this
regular (but infrequent) question in the ISC KB.
Regards,
Chris Buxton
> On Aug 30, 2021, at 3:40 PM, raf via bind-users
> wrote:
>
> On Mon,
Michael,
there has never been needed to pre-publish RRSIGs because the DNS is
a loosely coherent system and from outside you can’t determine which DNSKEY
RRset signed which other RRset. There is only one regularly lookup where you
can determine whether the RRset is signed by all the algori
Hi,
I have, in the past, used the "conservative" approach to performing
algorithm rollovers for various domains. For many domains, this is
probably overkill, but I'd prefer to have the option of doing it,
especially for those mission-critical domains where you really don't
want to rely simpl
On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
wrote:
> What algorithm(s) are you using for ZSK and KSK? If they’re not the
> same algorithm, then both will be used to sign the entire zone.
>
> Regards,
> Chris Buxton
Just out of curiosity, why is that?
Isn't having the KSK sign the ZS
What algorithm(s) are you using for ZSK and KSK? If they’re not the same
algorithm, then both will be used to sign the entire zone.
Regards,
Chris Buxton
> On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users
> wrote:
>
> Signed PGP part
> I've had an issue with my key rotation proc
I've had an issue with my key rotation process on a couple of zones. I
believe I've resolved that issue but it appears to me in several cases
the KSKs rather than being used to sign the ZSK are being used to sign
the zone records directly.
https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=
7 matches
Mail list logo
