DS keys with 2 digest algorithms

frank picabia fpicabia at gmail.com
Thu Sep 22 14:41:09 UTC 2022 

Hi,

Thanks for this confirmation.  I had our registrar remove the digest
algorithm SHA1 DS
entry and this has worked as expected.  No errors or warnings at any DNSSEC
checkers.

Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.



On Tue, Sep 20, 2022 at 3:44 PM Mark Elkins <mje at posix.co.za> wrote:

> Just remove the type-1 digest from the domain registrar.
>
> In the future - only upload type type-2 version.
> On 2022/09/20 20:32, frank picabia wrote:
>
>
> The algorithm migration I made to 8 has worked well.
> Getting green lights on DNSSEC checkers, etc.
>
> The only odd bit is some warnings at DNSVIS.NET
> about DS records using digest algorithm 1.
>
> DNSSEC specification prohibits signing with DS records that use digest
> algorithm 1 (SHA-1).
>
> Somehow the way I do the zone signing results in 2 pairs of DS
> records - one with digest algorithm 2 and one with algorithm 1.
>
> This is the command I've been running lately:
>
> /sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca -t -f
> forward/mydomain.ca.signed forward/mydomain.ca
>
> As per the howtos I followed years ago, I've provided the domain registrar
> with both DS key records (one key number, two digest algorithms).
>
> mydomain.ca. IN DS 20084 8 1 42419294EC592BFE044D256126F0420212E4E619
> mydomain.ca. IN DS 20084 8 2
> 827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416
>
> In the diagram at DNSVIS.NET, it looks like the DS with alg 1
> is dangling at the top level domain (.ca) with the yellow warning as per
> above,
> while the alg 2 links to my domain's DNSKEY properly.
>
> How should I tidy up this digest algo 1?  Do I simply remove it at the
> domain registrar,
> or is there a better way to run dnssec-signzone?
>
>
>
>
> --
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.826010496 <+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> [image: Posix Systems][image: VCARD for MJ Elkins]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220922/770e493c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220922/770e493c/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220922/770e493c/attachment.png>

More information about the bind-users mailing list