DS keys with 2 digest algorithms
frank picabia
fpicabia at gmail.com
Tue Sep 20 18:32:31 UTC 2022
The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.
The only odd bit is some warnings at DNSVIS.NET
about DS records using digest algorithm 1.
DNSSEC specification prohibits signing with DS records that use digest
algorithm 1 (SHA-1).
Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.
This is the command I've been running lately:
/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f
forward/mydomain.ca.signed forward/mydomain.ca
As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).
mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619
mydomain.ca. IN DS 20084 8 2
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416
In the diagram at DNSVIS.NET, it looks like the DS with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per
above,
while the alg 2 links to my domain's DNSKEY properly.
How should I tidy up this digest algo 1? Do I simply remove it at the
domain registrar,
or is there a better way to run dnssec-signzone?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220920/09133ff6/attachment.htm>
More information about the bind-users
mailing list