[Opendnssec-user] Changing the <Algorithm> has no effect

sion at nominet.org.uk sion at nominet.org.uk
Wed Feb 3 08:50:58 UTC 2010

> In want to use SHA-256 for signing so I changed kasp.xml:
>                        <!-- Parameters for KSK only -->
>                         <KSK>
>                                 <Algorithm length="2048">8</Algorithm>
>                                 <Lifetime>P3D</Lifetime>
>                                 <Repository>softHSM</Repository>
>                                 <Standby>1</Standby>
>                         </KSK>
>                         <!-- Parameters for ZSK only -->
>                         <ZSK>
>                                 <Algorithm length="1024">8</Algorithm>
>                                 <Lifetime>P1D</Lifetime>
>                                 <Repository>softHSM</Repository>
>                                 <Standby>1</Standby>
> and I ran a "ksmutil update all". No error message but, at the next
> resigning, everything is still done with algorithm 7. What did I
> forget? Should I simply wait for the next key rollover?

The keys that are already generated will still have the old algorithm, as
will any StandbyKeys that you have published. Only new keys will be
algorithm 8 and so until these new keys are being used then you will be
using algorithm 7.

So yes, waiting for rollovers should fix the issue, or you can force them
through as soon as the system thinks that the new keys are ready for use.


More information about the Opendnssec-user mailing list