cstrotm, 1 year ago

@Keltounet @bortzmeyer @jpmens

I would recommend

ECDSAP256SHA256 with NSEC

unless there is a strong requirement to use NSEC3

Keltounet, 1 year ago

@cstrotm @bortzmeyer @jpmens if NSEC is now the default, then that's what I have now :)

jpmens, 1 year ago

deleted_by_author

Keltounet, 1 year ago

@jpmens Yep, I made the old key inactive but it was still in the DS. Fixed.

jpmens, 1 year ago

deleted_by_author

Keltounet, 1 year ago

@jpmens bind itself.

Keltounet, 1 year ago

@jpmens zonemaster says NSEC is present:

https://zonemaster.net/en/result/68a28fc61fcefbdf

jpmens, 1 year ago

deleted_by_author

mwl, 1 year ago

@jpmens @Keltounet

SERVFAIL on my resolver (BIND/dig).

Adding +cd fixes it, so: DNSSEC fail. Sorry, Ollivier!

Keltounet, 1 year ago

@mwl @jpmens damn, I need to check then. Dnsviz does like too though.

shaft, 1 year ago

@Keltounet @bortzmeyer @jpmens Algorithm 13 (ECDSA-P256-SHA256) is recommended. Something like half of domains use it nowadays.

jpmens, 1 year ago

deleted_by_author

Keltounet, 1 year ago

@jpmens @shaft @bortzmeyer is Ed25519 still considered too new or that there is no significant advantages over ecdsa?

jpmens, 1 year ago

deleted_by_author

shaft, 1 year ago

@jpmens @Keltounet @bortzmeyer As of RFC 8624 (2019), ed25519 is only "RECOMMENDED" for signing (vs. "MUST" for algo 13) so yeah, some older stuff might not be happy with it :/

Keltounet, 1 year ago

@jpmens @shaft @bortzmeyer ACK.

Keltounet, 1 year ago

@jpmens @shaft @bortzmeyer ZSK/KSK rollovers done on ns0, both in "13 2" now. knot will wait for later on ns0, ns1 is already running knot anyway. Funnily enough, I upgraded ns3 to FreeBSD 13.2 too :)

jpmens, 1 year ago

deleted_by_author

shaft, 1 year ago

@jpmens @Keltounet @bortzmeyer

Lord of the Rings gif: “So it begins”