dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)

2023-06-02 Thread Sebastian Wiesinger
Hi, I recently moved from auto-dnssec to dnssec-policy and after the switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK. When I changed the dnssec-policy from rsa to ecdsa-csk the old keys immediately got removed which lead to a bogus DNSSEC for the zone. I was expecting a rollov

Re: dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)

2023-06-02 Thread Sebastian Wiesinger
* Matthijs Mekking [2023-06-02 14:10]: > Did you wait until the migration was complete? Everything needs to be > omnipresent after the migration before you can making DNSSEC policy changes > safely. Well there was no easy way to tell if migration was complete, there were no indications if the DS

Change in behaviour regarding ndots and searchlist

2014-09-15 Thread Sebastian Wiesinger
Hello, I noticed a change in the host tool in regard to how searches are done when there are >= "ndots" dots in the query. In the following case ndots is always nonexistant in the configuration. With bind 9.8 (Debian 1:9.8.4.dfsg.P1): $ host -d test.example Trying "test.example" Received 105 byt

Re: Change in behaviour regarding ndots and searchlist

2014-09-15 Thread Sebastian Wiesinger
* Barry Margolin [2014-09-15 15:18]: > In article , > Steven Carr wrote: > > > On 15 September 2014 13:29, Lightner, Jeff wrote: > > > I've begun seeing this recently in nslookup on Windows workstations as > > > well.It appears it is appending search domains even when I've > > > specifie

NSEC TTLs

2014-11-24 Thread Sebastian Wiesinger
Hello, I use BIND 9.9.5 with inline-signing and noticed that the NSEC records have different TTLs. I can't really explain why there is a difference. A few of the NSEC records have TTL 300 which is my SOA minimum (negative) TTL. This should be fine in regard to RFC4035 which states that every NSEC

BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-06 Thread Sebastian Wiesinger
Hello, is there a guide for an algorithm rollover with BIND9 for an inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to find a good guide for it. I already looked at the ISC DNSSEC Guide but it doesn't seem to cover that the RRSIGs made by the new keys need to be published befor

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-07 Thread Sebastian Wiesinger
* Mark Andrews [2016-10-06 23:33]: > > is there a guide for an algorithm rollover with BIND9 for an > > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to > > find a good guide for it. I already looked at the ISC DNSSEC Guide but > > it doesn't seem to cover that the RRSIGs mad

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Sebastian Wiesinger
* Tony Finch [2016-10-10 12:36]: > I thought the algorithm rollover process is required to be: introduce new > ZSK and KSK and sign the zone; wait for old records to expire; flip the DS > from old to new; wait for old DS to expire; delete old ZSK and KSK and > RRSIGs. A double-DS algorithm rollove

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-11 Thread Sebastian Wiesinger
* Jim Popovitch [2016-10-10 23:42]: > On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger > wrote: > > > > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/ > > > > After the DS TTL expired I removed the old DS, so the zone now looks > > like this: > > >