On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
> On 10/15/2011 08:32 PM, Mark Elkins wrote:
> >
> > So what you are saying in practical terms is in order to migrate from
> > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> > cycle once a year) and then at exactly the
On 10/15/2011 08:32 PM, Mark Elkins wrote:
So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every mont
In message <1318673495.8491.89.ca...@mjelap.posix.co.za>, Mark Elkins writes:
>
> Saw the light of day and decided to change my DNSSEC signing script to
> create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
> mix these two in the same zone
>
> I've created a short script
On Sat, Oct 15, 2011 at 1:31 PM, Mark Elkins wrote:
> True - no problem with a handful of zones.
>
> Now assume a few thousand being automated from some script.
>
> Wonder if OpenDNSSEC handles this at all?
>
> OK - so I've rewritten my script to not worry (Don't Panic) - just keep
> using the mo
True - no problem with a handful of zones.
Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all?
OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 alg
On 15/10/2011 20:32, Mark Elkins wrote:
> So what you are saying in practical terms is in order to migrate from
> RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
> cycle once a year) and then at exactly the same time start using
> RSASHA256 on the KSK's (which cycle every mo
On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
>
> On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and
> visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused - can not sign (or generate a new Signed
> Zone)...
>V
8 matches
Mail list logo
