-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My zones are currently using algorithm 5 (RSASHA1), with two KSKs and two ZSKs with overlapping timers. In preparation for updating to algorithm 8 (RSASHA256), I read:
The bind-users thread "KSK signing all records; NSEC3 algorithm status?" https://tools.ietf.org/html/rfc6781#page-31 https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over Is there a more authoritative document that describes the algorithm roll over procedure? It seems that I need to: generate new ZSK and KSKs using algorithm 8 sign the zone with all the keys wait one ttl cycle, then publish a new dnskey rrset wait one ttl cycle, then upload the new ds rrset ... eventually, remove the old KSKs from the dnskey rrset, but still use them to sign the zone wait one ttl cycle, then resign the zone without the old KSKs. For that to work, I need to get dnssec-signzone to sign a zone without publishing the keys (activate < publish) and (inactivate > delete). 'man dnssec-signzone' under -S smart signing, talks about the following timers - (publication, activation, revocation, unpublication, deletion). That man page implies that dnssec-signzone will always publish keys that it has used to sign the zone. The use of 'unpublication' and lack of mention of 'inactivate' seems to be an oversight. 'man dnssec-settime' documents the following timers - (P publication, A activation, R revocation, I retired (inactive?), D deleted) 'dnssec-settime -p all' uses (Created, Publish, Activate, Revoke, Inactive, Delete) names. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlaNdXsACgkQL6j7milTFsFQ6wCffo9wlY7roi2U3iI/6TSahK7R 6hQAn3HgFbGeJBXsMza6IRAuDLBx2Wr3 =bTLc -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users