DNSSEC upgrade

[Tony Finch]

Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>
> So you mean to say when it print out
>
> IN DS 45701 13 1 5422E9...
> IN DS 45701 13 2 qwertyE9...
>
> we never needed 45701 13 1 5422E9   only   45701 13 2 qwertyE9  ?

Exactly, yes!

> and we only need run
>
> dig @ns0 dnskey guiltyparty.net | dnssec-dsfromkey -2 -f - guiltyparty.net
>
> and enter  in just that one entry?  45701 13 2 qwertyE to the DS in domain
> reg?

Correct!

> and we have been upload both all this years was wrong ?

Well, not wrong, but unnecessary. The tools generally encouraged everyone
to publish both SHA1 and SHA2 DS records even though just SHA2 has been
enough for more than 10 years and SHA1 has had known weaknesses for even
longer.

> hrmm, now I start to understand why not many use DNSSEC so confusing to
> those who not do this every day, or so many instructions around nobody
> knows what works
>
> But we getting there :->

Yes, slowly...

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Shannon, Rockall: Variable 4 or less, becoming southwest 3 to 5 later.
Slight, occasionally moderate in Rockall and at first in Shannon.
Showers. Good.