Hi, I'm at the point in DNSSEC algorithm migration where I have two types of keys involved in signing. Both algorithm 7 and 8 are in use.
The top level domain registrar also has DS keys set up for both 7 and 8. I need to coordinate pulling out algorithm 7 with the domain registrar so our domain will be running against only algo 8. Should the TLD registrar remove 7 first, or should I remove signing of zone with the algo 7 keys before they make their change? I noticed that when I tried removing signing with the algo 7 keys, and checked the DNS state at https://dnsviz.net/d/acadiau.ca/dnssec/ I saw errors at the analyzer like this: The DS RRset for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no RRSIG with algorithm 7 covering the RRset was returned in the response. I'm not sure if that would be a crippling error to DNS functionality if I didn't reverse removal of algo 7 signing, which I've done after seeing this. Can I do removal of algo 7 at one side prior to the other (Bind signing vs TLD Registrar side), or do we have to try to coordinate this with the TLD registrar as closely as possible?
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
