Algorithm rollover
John
john at klam.ca
Mon Jan 12 15:29:59 CET 2015
This may be the wrong mailing list but I cannot find another concerning
DNSSEC general.
When I originally setup DNSSEC I used the RSASHA1 algorithm as this
seemed to be the only one that could be used with NSEC3.
However, further reading (and/or changes in DNSSEC) would indicate the
RSASHA256... can also be used with NSEC3.
As a result I would like change algorithm. I am using my families domain
rather than a /live/ domain for testing which would seem to give me one
of two options.
1) delete the keys that have been published including the .ca (?
forgotten tech term), publish new keys for the site and wait for the
dust to settle. As the site is small, not heavily used and does not
support anything critical this may be the simplest solution. Problem, I
don't learn anything!
2) generate new keys, publish them as new for rollover at all levels
including TLD (?), on the date the current keys become inactive (or new
keys become active) resign the domain.
I am not sure that 2 is correct, and additionally I am not sure that I
want to take the delay.
?
--
John Allen
KLaM
------------------------------------------
OK, so what is the speed of dark?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150112/fa1decab/attachment.html>
More information about the dane-users
mailing list