> On 10-08-2021 13:38, Klaus Darilion wrote: > > Hi Matthijs! > > > >> We would like to encourage you to change your configurations to > >> 'dnssec-policy'. See this KB article for migration help: > >> > >> https://kb.isc.org/docs/dnssec-key-and-signing-policy > > > > Some comments to this KB article and dnssec-policy: > > > > - The article should mention how to retrieve the DS record from > > Bind. > > I am not sure what you are asking. Do you mean how to convert the DS > from the DNSKEY record so you can submit it to the registrar?
Yes. By reading this KB I do not know how the user will be informed which DS (or DNSKEY) must be submitted to the parent zone. I know you to convert a DNSKEY to DS, but IMO the KB is very good but missest hat point. > > - How does Bind handle duplicate keyids when generating new keys? > > Will Bind ensure that there will not be any duplicate key ideas or > > will it just use the duplicate keys? In the latter case the " rndc > > dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an > > user perspective duplicate keyids should be avoided) > > BIND will check for key id collision. When a conflict (for the same > algorithm) is detected a new key will be generated. Thanks for the info, could be mentioned somewhere Klaus _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users