fsebugoutzone.org:9999

       Post 9pt3En6VpRntDf69Fw by mischa@bsd.network
 (DIR) More posts by mischa@bsd.network
 (DIR) Post #9pswQkjlksERftDW3U by mischa@bsd.network
       2019-12-12T08:49:45Z
       
       1 likes, 0 repeats
       
       What do people use to do DNSSEC key rollover these days. I am planning to start hosting a couple of domains on nsd with DNSSEC, but the roll-over isn&#39;t vert clear yet.
       
 (DIR) Post #9pswQl1qfeh4ZxfxEe by fireglow@social.firc.de
       2019-12-12T09:58:40.253883Z
       
       0 likes, 0 repeats
       
       @mischa knot :) It&#39;s excellent
       
 (DIR) Post #9pt3EmgzMLO3wV9lTM by jpmens@mastodon.social
       2019-12-12T10:26:56Z
       
       0 likes, 0 repeats
       
       @mischa well, first up, NSD won&#39;t sign, but you know that I assume.Look at newer Knot versions and then look at BIND with auto-dnssec. If you don&#39;t want to roll at all (and why should you but we&#39;ll discuss that with three beers), then look at PowerDNS and AXFR your signed zones to NSD.
       
 (DIR) Post #9pt3En6VpRntDf69Fw by mischa@bsd.network
       2019-12-12T10:43:04Z
       
       0 likes, 0 repeats
       
       @jpmens I do... the ldns-utils are needed. Have a (ldnsd-) signed zone coming out of NSD at the moment, for shits and giggles. Will have a look. Thanx
       
 (DIR) Post #9pt3EnaI2jcgi11vfc by jpmens@mastodon.social
       2019-12-12T10:55:25Z
       
       0 likes, 0 repeats
       
       @mischa ldns is way cool, and I&#39;ve done that myself.Don&#39;t.Use something you can rely on which does key rollovers for you.Or even better: don&#39;t roll at all.
       
 (DIR) Post #9pt3Eo0WTCbg1NIsYi by mischa@bsd.network
       2019-12-12T10:56:40Z
       
       1 likes, 0 repeats
       
       @jpmens what do you mean with don&#39;t roll at all?
       
 (DIR) Post #9pt6JZnj14MPGsHfkW by jpmens@mastodon.social
       2019-12-12T11:30:52Z
       
       0 likes, 0 repeats
       
       @mischa don&#39;t roll your keys; just re-sign the zone.Keys don&#39;t expire; RRSIGs do. You need to periodically re-sign, but you don&#39;t *have to* generate new keys.
       
 (DIR) Post #9pt6Ja9LifeqLwOwSG by mischa@bsd.network
       2019-12-12T11:35:41Z
       
       1 likes, 0 repeats
       
       @jpmens got it! will stick with re-signing with ldns-utils at the moment. Much gracias senior!
       
 (DIR) Post #9pt6Jtn2hJhLGY7PSi by mischa@bsd.network
       2019-12-12T11:20:26Z
       
       1 likes, 0 repeats
       
       @jpmens just resign the zone?