dnssec rookie question
Anand Buddhdev
anandb at ripe.net
Mon Jan 10 16:00:18 UTC 2022
On 10/01/2022 16:48, Danilo Godec via bind-users wrote:
Hi Danilo,
[snip]
I don't know what is causing the DNSViz error. Perhaps someone else may
see the issue.
> sid.si/DS (alg 13, id 12603): DS records with digest type 1 (SHA-1) are
> ignored when DS records with digest type 2 (SHA-256) exist in the same
> RRset.
>
> This is probably due to the fact that Bind version included in CentOS 8
> /dnssec-signzone/ creates two 'digests' in the /dsset/ file (sha-1 and
> sha-256 - which is what I've sent to the domain registrar to include),
> while newer Bind versions only create one...
>
> Is including SHA-1 bad in some way? Should I change that?
Having a DS record with a SHA-1 hash isn't bad, but it's pointless,
because you already have the stronger SHA-2 hash. Most modern resolvers
will ignore the SHA-1 hash. So just remove it.
Regards,
Anand Buddhdev
More information about the bind-users
mailing list