* Matthijs Mekking [2023-06-02 14:10]:
> Did you wait until the migration was complete? Everything needs to be
> omnipresent after the migration before you can making DNSSEC policy changes
> safely.
Well there was no easy way to tell if migration was complete, there
were no indications if the DS
Hi,
I recently moved from auto-dnssec to dnssec-policy and after the
switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
immediately got removed which lead to a bogus DNSSEC for the zone. I
was expecting a rollov
* Jim Popovitch [2016-10-10 23:42]:
> On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger
> wrote:
> >
> > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/
> >
> > After the DS TTL expired I removed the old DS, so the zone now looks
> > like this:
> >
>
* Tony Finch [2016-10-10 12:36]:
> I thought the algorithm rollover process is required to be: introduce new
> ZSK and KSK and sign the zone; wait for old records to expire; flip the DS
> from old to new; wait for old DS to expire; delete old ZSK and KSK and
> RRSIGs. A double-DS algorithm rollove
* Mark Andrews [2016-10-06 23:33]:
> > is there a guide for an algorithm rollover with BIND9 for an
> > inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
> > find a good guide for it. I already looked at the ISC DNSSEC Guide but
> > it doesn't seem to cover that the RRSIGs mad
Hello,
is there a guide for an algorithm rollover with BIND9 for an
inline-signed zone? I want to roll from RSA to ECDSA but I'm unable to
find a good guide for it. I already looked at the ISC DNSSEC Guide but
it doesn't seem to cover that the RRSIGs made by the new keys need to
be published befor
Hello,
I use BIND 9.9.5 with inline-signing and noticed that the NSEC records
have different TTLs. I can't really explain why there is a difference.
A few of the NSEC records have TTL 300 which is my SOA minimum
(negative) TTL. This should be fine in regard to RFC4035 which states
that every NSEC
* Barry Margolin [2014-09-15 15:18]:
> In article ,
> Steven Carr wrote:
>
> > On 15 September 2014 13:29, Lightner, Jeff wrote:
> > > I've begun seeing this recently in nslookup on Windows workstations as
> > > well.It appears it is appending search domains even when I've
> > > specifie
Hello,
I noticed a change in the host tool in regard to how searches are done
when there are >= "ndots" dots in the query. In the following case
ndots is always nonexistant in the configuration.
With bind 9.8 (Debian 1:9.8.4.dfsg.P1):
$ host -d test.example
Trying "test.example"
Received 105 byt
9 matches
Mail list logo
