dnssec rookie question
Danilo Godec
danilo.godec at agenda.si
Mon Jan 10 15:48:59 UTC 2022
Hello,
today I implemented DNSSEC for a domain - by that I mean that the DS
records have been published / added to TLD DNS today, while the zone has
been signed a couple of days ago.
So a couple of hours later I went to https://dnsviz.net to see if
everything seems OK and it reports one error and a couple of warnings.
The error is:
RRSIG sid.si/NSEC3PARAM alg 13, id 48018: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (0).
But if I use /dig/ for, I get this:
;; ANSWER SECTION:
sid.si. 3600 IN NSEC3PARAM 1 0 10 -
sid.si. 3600 IN RRSIG NSEC3PARAM 13 2 0 20220205091303 20220106091303 48018 sid.si. WVstsjBLSQNS+PaKbR3LAAALG7tlV+cuzLYUKgWDXKrFnxe+dxx5Tmsa pYIrabwi/sANBgEBMHtW1Z3NS7hRow==
Both records show TTL 3600 - which should be OK, I think? Where does
dnsviz.net get that TTL 0?
The warnings are:
sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
sid.si/DS (alg 13, id 12603): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
This is probably due to the fact that Bind version included in CentOS 8
/dnssec-signzone/ creates two 'digests' in the /dsset/ file (sha-1 and
sha-256 - which is what I've sent to the domain registrar to include),
while newer Bind versions only create one...
Is including SHA-1 bad in some way? Should I change that?
Thanks,
Danilo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220110/99fcada1/attachment.htm>
More information about the bind-users
mailing list