On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: > Thanks a lot, I have now resolved this issue. However, I was following > the DNSSEC in 6 minutes guide [1] > for learning purposes and I have followed all the steps up to "you are > now serving DNSSEC signed zones".
Reading the presentation - which dates itself....
Slide 16, rather use
dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK)
Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.
This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
