On 2/12/19 11:49 PM, Paul R. Ganci wrote:
Okay so I misunderstood the message I was getting when I checked my
DNSSEC setup via http://dnsviz.net/. What you are telling me is that
all I had to do was re-sign the zone files but that it was not
necessary to generate new keys. This point is definit
On 2/13/19 3:51 AM, Alice Wonder wrote:
I see you are using algorithm 7 - I would recommend switching to
either algorithm 13 or at least to 8.
Algorithm 7 uses a SHA1 hash.
See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04
That's a draft but soon will be an update to the st
On 2/12/19 11:49 PM, Paul R. Ganci wrote:
On 2/12/19 10:55 PM, Alice Wonder wrote:
DNSSEC keys do not expire. Signatures do expire. How long a signature
is good for depends upon the software generating the signature, some
lets you specify. ldns I believe defaults to 60 days but I am not sure.
On 2/12/19 10:55 PM, Alice Wonder wrote:
DNSSEC keys do not expire. Signatures do expire. How long a signature
is good for depends upon the software generating the signature, some
lets you specify. ldns I believe defaults to 60 days but I am not sure.
The keys are in DNSSKEY records that are
On 2/12/19 7:26 PM, Paul R. Ganci wrote:
Last weekend I had my DNSSEC keys expire. I discovered that they had
expired the hard way... namely randomly websites could not be found and
email did not get delivered. It seems that the keys were only valid for
what I estimate was about 30 days. It is
Last weekend I had my DNSSEC keys expire. I discovered that they had
expired the hard way... namely randomly websites could not be found and
email did not get delivered. It seems that the keys were only valid for
what I estimate was about 30 days. It is a real PITA to have update the
keys, rest
6 matches
Mail list logo
