Hi,
I recently moved from auto-dnssec to dnssec-policy and after the
switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
immediately got removed which lead to a bogus DNSSEC for the zone. I
was expecting a rollov
* Matthijs Mekking [2023-06-02 14:10]:
> Did you wait until the migration was complete? Everything needs to be
> omnipresent after the migration before you can making DNSSEC policy changes
> safely.
Well there was no easy way to tell if migration was complete, there
were no indications if the DS
Hello,
I noticed a change in the host tool in regard to how searches are done
when there are >= "ndots" dots in the query. In the following case
ndots is always nonexistant in the configuration.
With bind 9.8 (Debian 1:9.8.4.dfsg.P1):
$ host -d test.example
Trying "test.example"
Received 105 byt
* Barry Margolin [2014-09-15 15:18]:
> In article ,
> Steven Carr wrote:
>
> > On 15 September 2014 13:29, Lightner, Jeff wrote:
> > > I've begun seeing this recently in nslookup on Windows workstations as
> > > well.It appears it is appending search domains even when I've
> > > specifie
Hello,
I use BIND 9.9.5 with inline-signing and noticed that the NSEC records
have different TTLs. I can't really explain why there is a difference.
A few of the NSEC records have TTL 300 which is my SOA minimum
(negative) TTL. This should be fine in regard to RFC4035 which states
that every NSEC
Hello,
is there a guide for an algorithm rollover with BIND9 for an
inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
find a good guide for it. I already looked at the ISC DNSSEC Guide but
it doesn't seem to cover that the RRSIGs made by the new keys need to
be published befor
* Mark Andrews [2016-10-06 23:33]:
> > is there a guide for an algorithm rollover with BIND9 for an
> > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > find a good guide for it. I already looked at the ISC DNSSEC Guide but
> > it doesn't seem to cover that the RRSIGs mad
* Tony Finch [2016-10-10 12:36]:
> I thought the algorithm rollover process is required to be: introduce new
> ZSK and KSK and sign the zone; wait for old records to expire; flip the DS
> from old to new; wait for old DS to expire; delete old ZSK and KSK and
> RRSIGs. A double-DS algorithm rollove
* Jim Popovitch [2016-10-10 23:42]:
> On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger
> wrote:
> >
> > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/
> >
> > After the DS TTL expired I removed the old DS, so the zone now looks
> > like this:
> >
>
9 matches
Mail list logo
