8 Bře
2021
8 Bře
'21
17:56
I have the same suspicion, but I haven't gotten any further yet, sorry.
L.
Dne 08. 03. 21 v 17:55 Tuomo Soini napsal(a):
On Mon, 8 Mar 2021 17:09:54 +0100
"Thomas E." <list(a)crashcom.info> wrote:
A KSK and ZSK with Alg RSASHA256 have been
created and the zone was
signed. An algorithm rollover is triggered right after signing. I
don't understand why RSASHA256 is still being used.
This is a very wild guess
but I'd suspect this has something to do with
ksk-shared: true, note the config below.
>>> policy:
>>> - id: shared
>>> algorithm: RSASHA512
>>> ksk-size: 2048
>>> zsk-size: 1024
>>> zsk-lifetime: 30d
>>> ksk-lifetime: 365d
>>> ksk-shared: true
>>> ksk-submission: resolver
>>> nsec3: true
>>> cds-cdnskey-publish: always
Btw. cds-cdnskey-publish: always is
against instructions in rfc. those
should only be published for rollover only.
Is there some reason for using shared ksk?