And yet, after updating Gemtrade.fi to dnssec-policy, ZSK and KSK both "13", and updating the DS record at the .fi root, I still get:
(algorithm 13 not supportedsignature verification failed) In Verisign DNSSEC verifier. Lähettäjä: bind-users <bind-users-boun...@lists.isc.org> Puolesta Jukka Pakkanen Lähetetty: 16. huhtikuuta 2020 1:22 Vastaanottaja: bind-us...@isc.org Aihe: 9.16.2 / DNSSEC / DS records Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial... We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well? About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com's zone data? The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually. Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
