On Mon, 8 Mar 2021 17:09:54 +0100
"Thomas E." <list(a)crashcom.info> wrote:
A KSK and ZSK with Alg RSASHA256 have been created and
the zone was
signed. An algorithm rollover is triggered right after signing. I
don't understand why RSASHA256 is still being used.
This is a very wild guess but I'd suspect this has something to do with
ksk-shared: true, note the config below.
>>> policy:
>>> - id: shared
>>> algorithm: RSASHA512
>>> ksk-size: 2048
>>> zsk-size: 1024
>>> zsk-lifetime: 30d
>>> ksk-lifetime: 365d
>>> ksk-shared: true
>>> ksk-submission: resolver
>>> nsec3: true
>>> cds-cdnskey-publish: always
Btw. cds-cdnskey-publish: always is against instructions in rfc. those
should only be published for rollover only.
Is there some reason for using shared ksk?
--
Tuomo Soini <tis(a)foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>