OK I recently decided to change the algorithm on all our domains from RSASHA1 to RSASHA256. Before making the change globally; I experimented with one domain. I did so by adding a new policy:
CURRENT policy: - id: rsa1 algorithm: RSASHA1 ksk-size: 2048 zsk-size: 1024 dnskey-ttl: 43200 zsk-lifetime: 30d ksk-lifetime: 365d NEW (PROPOSED) policy: - id: rsa2 algorithm: RSASHA256 ksk-size: 2048 zsk-size: 2048 dnskey-ttl: 43200 zsk-lifetime: 30d ksk-lifetime: 365d DOMAIN TESTED ON # a-domain - domain: a-domain file: "masters/a-domain" zonefile-load: difference dnssec-signing: on # dnssec-policy: rsa1 dnssec-policy: rsa2 semantic-checks: on serial-policy: dateserial acl: [locals, remotes01, remotes03, remotes04] To preform the intended change. I first set the the current keys on the test domain to: retire=+1hr I then added the new policy and assigned it to the testing domain. Then restarted the knot service. After the hour and some had passed. I performed a keymgr a-domain del-all-old which removed the old algorithm (RSASHA1) keys. But I think this was a mistake. How would I best make this change? Is it enough to simply change algorithm: and knot will just do the right thing? Thanks! -- Chris
0xBDE49540.asc
Description: application/pgp-keys
-- https://lists.nic.cz/mailman/listinfo/knot-dns-users