On Thu, May 5, 2022 at 3:48 PM Tony Finch <f...@isc.org> wrote: > frank picabia <fpica...@gmail.com> wrote: > > On Thu, May 5, 2022 at 1:46 PM <nico...@ncartron.org> wrote: > > > > > > Tony wrote a nice article about that: > > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html > > > > Thanks for that. My problem is these notes have little in common with > how > > the digital ocean guide > > ran it ( > > > https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 > > ), > > That guide is sadly very out of date. You really don't want to use SHA1 > (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html) > and for at least 10 years it has been much easier to use `named`s > automatic signing than to use dnssec-signzone. > > I think if you are still using `dnssec-signzone`, I would recommend > switching over to automatic signing with your existing keys, before doing > an algorithm rollover. And set up a test zone so that you can run through > the process a few times, so that you can learn from your mistakes before > doing it in production. > > > and I don't think our domain registrar supports CDS records. > > You can ignore the CDS stuff - my registrar didn't support it either, but > I have tools that can use my CDS records to work out the correct thing to > tell my registrar to do. > > > I don't understand how people can run little rndc commands as if this > > sticks without putting an include for the keys in the zone file. > > `named` automatically adds the keys to the zone according to the timing > information in the key files. (At least, that's the way I did it before > dnssec-policy made things even more automatic.) > > Agreed that the digital ocean guide is out of date. That's why I'm redoing the steps with algorithm 8. In our case, we have a DNS service to protect from DDOS and we need to transfer the whole zone to them periodically or from updates. I don't think the Bind built-in signing would work for this situation.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
