On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
> On 10/15/2011 08:32 PM, Mark Elkins wrote:
> >
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the
On 10/15/2011 08:32 PM, Mark Elkins wrote:
So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every mont
In message <1318673495.8491.89.ca...@mjelap.posix.co.za>, Mark Elkins writes:
>
> Saw the light of day and decided to change my DNSSEC signing script to
> create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
> mix these two in the same zone
>
> I've created a short script
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins wrote:
> True - no problem with a handful of zones.
>
> Now assume a few thousand being automated from some script.
>
> Wonder if OpenDNSSEC handles this at all?
>
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the mo
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 alg
On 15/10/2011 20:32, Mark Elkins wrote:
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every mo
On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
>
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and
> visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused - can not sign (or generate a new Signed
> Zone)...
>V
Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone
I've created a short script to demonstrate the issue.
I've Attached "RunTest" that simulates what I am doing.
It uses
9 matches
Mail list logo
