Re: Updating a DNSSEC config to use a different algorithm

Tue, 02 Feb 2021 05:40:52 -0800 

On 02 Feb 2021, at 02:23, Matthijs Mekking <matth...@isc.org> wrote:
> 1. Create a dnssec-policy that matches your current keys (so in your case 
> algorithm 7, also make sure you use the same length).
> 
> So I guess something like:
> 
>    dnssec-policy alg13-ksk-unlimited-zsk-60day {
>        keys {
>            ksk key-directory lifetime unlimited algorithm 7 2048;
>            zsk key-directory lifetime P60D algorithm 7 1024 ;
>        };
>    };
> 
> This is an assumption. Check the key length with your existing keys.

Yes, the current keys are alg 7 2048 bit. Is there a document on the various 
options here? I am plowing through the "BIND 9 Administrator Reference Manual, 
Release BIND 9.16.5 (Stable Release)" but it is slow going right now and 
"dnssec-policy" does not appear in the pdf in a searchable form, which makes 
things even more fun).

(This domain has a RRSIG range of 20210122220953 - 20210221230953) 

I am guessing as soon as I add that DNSSEC-policy I also need to change each 
domain record from "auto-dnssec maintain;" to "dnssec-policy default;" or do I 
do that after the .state files have been created? (That doesn't sound right, 
but best to check).

> Now that you have migrated your existing key files (they will now have a 
> .state file), you can reconfigure your dnssec-policy with a new algorithm,. 
> The alg-7 keys will be gracefully removed from the zone, while new keys with 
> a new algorithm will be introduced.

So once all the domains have a .state file associated with them in the key 
directory I can change the dnssec-policy to the sample I had before and it will 
just migrate from the alg 7 keys above to alg ECDSAP256SHA256 (or I can just 
say alg 13 instead).

#v+
dnssec-policy alg13-ksk-unlimited-zsk-60day {
    keys {
        ksk key-directory lifetime unlimited algorithm 13;
        zsk key-directory lifetime P60D algorithm 13;
    };
};
#v-

That seems very straightforward, there must be a catch somewhere.

-- 
I want a refund, I want a light, I want a reason for all this night
        after night after night after night

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to