DNSSEC upgrade
Tony Finch
dot at dotat.at
Sat May 1 10:25:04 UTC 2021
Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> One thing I note, all check say everything is good, but when using dnsviz,
> it says secure, shows the ecd... but also puts up warnings that I am using
> alg 13 but digest 1 (sha1), which is not allowed,
I guess the "digest 1" is referring to your DS records. In my guide I
said, get the DS record for the new algorithm like this:
dnssec-dsfromkey -2 Kbotolph.cam.ac.uk.+013+YYYYY
The -2 option forces SHA-2 and avoids the deprecated SHA-1 hash.
Old versions of BIND by default print both SHA1 and SHA2 DS records, and
it's relatively common for zones to have both kinds of DS record in their
delegation.
SHA1 DS records are now discouraged so it's best to replace them with
SHA2, or just delete them if you have both kinds of DS record.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
harness technological change to human advantage
More information about the bind-users
mailing list