[Pdns-users] Migrate from zsk/ksk/rsa to csk/ecdsa
Nicola Tiling
nti at w4w.net
Sun Jul 29 15:12:09 UTC 2018
Hi
"Publish the CDS records: pdnsutil set-publish-cds example.com, these records will tell the parent zone to update its DS records. Now wait for the DS records to be updated in the parent zone."
If I publish the DS keys for a .net domain, will there be two DS hashes in the .net root zone after the TTL from 86400 runs off? And after that I can switch active/inactive keys? Or should the DS be immediately be found on a.gtld-servers.net? Or what should happen?
> Hi
>
> I want to migrate my old original bind generated dnssec zsk/ksk keys to powerdns csk with new ecdsa algorithm.
>
> I’ve created a new inactive key
>
> pdnsutil add-zone-key example.com ksk inactive 256 ECDSAP256SHA25
>
> and can see the inactive csk with "pdnsutil show-zone“ as expected.
>
> But I'm unsure what is the next step. Should I publish the new DS Keys as described here
>
> https://doc.powerdns.com/authoritative/guides/kskrollcdnskey.html
>
> And/Or what else should be done?
>
> Thankful for any hints
> Nicola
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180729/18b6487d/attachment.sig>
More information about the Pdns-users
mailing list