True - no problem with a handful of zones. Now assume a few thousand being automated from some script.
Wonder if OpenDNSSEC handles this at all? OK - so I've rewritten my script to not worry (Don't Panic) - just keep using the monthly KSK's with RSASHA1 until it sees a ZSK with the RSASHA256 algorithm - then just switch over to creating KSK's with RSASHA256 as well. I just never knew switching Algorithms would bite me. No one ever told me. On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote: > On 15/10/2011 20:32, Mark Elkins wrote: > > So what you are saying in practical terms is in order to migrate from > > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which > > cycle once a year) and then at exactly the same time start using > > RSASHA256 on the KSK's (which cycle every month) - making any existing > > ZSK using RSASHA1 (or their DS's in the parent) redundant after about a > > further month. > > You don't have to wait. There's nothing to stop you doing an early key > rollover for your ZSK, and switching algorithms. Where you can either > revoke the old ZSK or change its expiry date -- once you've got the DS > records in the parent updated, of course. > > Cheers, > > Matthew > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Elkins <m...@posix.co.za> Posix Systems
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users