> On 16 Apr 2020, at 09:21, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: > > Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to > dnssec-policy, and have couple questions, probably quite trivial… > > We have signed zones with different key algorithms, now I want everything > under the same ecdsa256 policy. I guess when the key algorithm changes, > example from 8 to 13, we need to update the DS key at the registrar as well?
Yes. > About the DS keys, where can I find or retrieve them after the zone is > automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone > data? dnssec-policy will publish CDS and CDNSKEY records after the right amount of time and if your registrar is checking they will automatically update the DS RRset in the parent zone. Otherwise you can use dnssec-dsfromkey to generate DS records from the DNSKEY records. > The Finnish Traficom .fi root service was able to retrieve the new DS records > it self, but for Hover need to insert them manually. > > Do I need to keep the old DS records at the registrar for some period of > time, of can I just swap the information there, without breaking anything? You can swap but note you need to wait until all caches are free of the records they where only signed with algorithm 8. Once the DS records are published you have to wait until all old DS records that listed algorithm 8 have cleared from caches before you stop signing with algorithm 8. There should be no CDS or CDNSKEY records for algorithm 8 when you do this. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
