Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)
Tony Finch
dot at dotat.at
Thu Mar 5 13:26:27 UTC 2020
Alan Batie <alan at peak.org> wrote:
>
> I'm letting named do the automatic signing/generation of RRSIG records,
> but unless I'm missing something, you still have to generate the DNSKEY
> records manually. dnssec-verify is the tool in question complaining
> about not including RSASHA1 keys and signatures.
Oh whoops, sorry, I wasn't paying proper attention.
I think those errors from dnssec-verify look to me like you have an
RSASHA256 KSK and an RSASHA1 ZSK. Your key files should all have names
like K*+008+* not K*+005+*. In older versions of BIND it's easy to
accidentally get a bad key by forgetting the -a option to dnssec-keygen.
(BTW I prefer to talk about "keys" when I have the files with both the
public and private parts, and only talk about DNSKEYs when I'm referring
to the public parts published in zone files.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
a fair, free and open society
More information about the bind-users
mailing list