Deprecating DNSSEC algorithms 5 (RSASHA1) and 7 (RSASHA1-NSEC3-SHA1)
Jaap Akkerhuis
jaap at NLnetLabs.nl
Sun Apr 5 21:38:25 CEST 2020
Viktor Dukhovni writes:
> On Sun, Apr 05, 2020 at 03:34:16PM +0200, Hoggins! wrote:
>
> > Le 10/01/2020 à 02:19, Viktor Dukhovni a écrit :
> > > If/when you do decide to switch algorithms, please perform the migration
> > > with care. Algorithm rollovers can be tricky.
> >
> > Anyone using rollerd? I'd like to upgrade my algorithms and let rollerd
> > do the whole rollover job for me, just by specifying that I'd like a
> > specific alg to be used on the next shift, but I'm not sure how to do this.
>
> I have never heard of rollerd, but you might do better on a DNS list,
> rather than the dane-users list. Perhaps someone on the dns-operations
> list can help.
It is ancient and from the time before bind had key maintenance
buikd in. And I don't think it will do an alogorithm rollover. See
the man page (as in https://linux.die.net/man/1/rollerd).
jaap
More information about the dane-users
mailing list