frank picabia <fpica...@gmail.com> wrote: > On Thu, May 5, 2022 at 1:46 PM <nico...@ncartron.org> wrote: > > > > Tony wrote a nice article about that: > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html > > Thanks for that. My problem is these notes have little in common with how > the digital ocean guide > ran it ( > https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 > ),
That guide is sadly very out of date. You really don't want to use SHA1 (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html) and for at least 10 years it has been much easier to use `named`s automatic signing than to use dnssec-signzone. I think if you are still using `dnssec-signzone`, I would recommend switching over to automatic signing with your existing keys, before doing an algorithm rollover. And set up a test zone so that you can run through the process a few times, so that you can learn from your mistakes before doing it in production. > and I don't think our domain registrar supports CDS records. You can ignore the CDS stuff - my registrar didn't support it either, but I have tools that can use my CDS records to work out the correct thing to tell my registrar to do. > I don't understand how people can run little rndc commands as if this > sticks without putting an include for the keys in the zone file. `named` automatically adds the keys to the zone according to the timing information in the key files. (At least, that's the way I did it before dnssec-policy made things even more automatic.) -- Tony Finch <f...@isc.org> (he/they) Cambridge, England Trafalgar: Northerly or northeasterly 4 or 5, occasionally 3 in far southeast. Moderate, but slight in far southeast. Fair. Good. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
