On 02 Feb 2021, at 02:23, Matthijs Mekking <matth...@isc.org> wrote: > 1. Create a dnssec-policy that matches your current keys (so in your case > algorithm 7, also make sure you use the same length). > > So I guess something like: > > dnssec-policy alg13-ksk-unlimited-zsk-60day { > keys { > ksk key-directory lifetime unlimited algorithm 7 2048; > zsk key-directory lifetime P60D algorithm 7 1024 ; > }; > }; > > This is an assumption. Check the key length with your existing keys.
Yes, the current keys are alg 7 2048 bit. Is there a document on the various options here? I am plowing through the "BIND 9 Administrator Reference Manual, Release BIND 9.16.5 (Stable Release)" but it is slow going right now and "dnssec-policy" does not appear in the pdf in a searchable form, which makes things even more fun). (This domain has a RRSIG range of 20210122220953 - 20210221230953) I am guessing as soon as I add that DNSSEC-policy I also need to change each domain record from "auto-dnssec maintain;" to "dnssec-policy default;" or do I do that after the .state files have been created? (That doesn't sound right, but best to check). > Now that you have migrated your existing key files (they will now have a > .state file), you can reconfigure your dnssec-policy with a new algorithm,. > The alg-7 keys will be gracefully removed from the zone, while new keys with > a new algorithm will be introduced. So once all the domains have a .state file associated with them in the key directory I can change the dnssec-policy to the sample I had before and it will just migrate from the alg 7 keys above to alg ECDSAP256SHA256 (or I can just say alg 13 instead). #v+ dnssec-policy alg13-ksk-unlimited-zsk-60day { keys { ksk key-directory lifetime unlimited algorithm 13; zsk key-directory lifetime P60D algorithm 13; }; }; #v- That seems very straightforward, there must be a catch somewhere. -- I want a refund, I want a light, I want a reason for all this night after night after night after night _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users