DS keys with 2 digest algorithms
Petr Špaček
pspacek at isc.org
Wed Sep 21 07:46:04 UTC 2022
On 20. 09. 22 20:32, frank picabia wrote:
>
> The algorithm migration I made to 8 has worked well.
> Getting green lights on DNSSEC checkers, etc.
>
> The only odd bit is some warnings at DNSVIS.NET <http://DNSVIS.NET>
> about DS records using digest algorithm 1.
>
> DNSSEC specification prohibits signing with DS records that use digest
> algorithm 1 (SHA-1).
>
> Somehow the way I do the zone signing results in 2 pairs of DS
> records - one with digest algorithm 2 and one with algorithm 1.
>
> This is the command I've been running lately:
>
> /sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca
> <http://mydomain.ca> -t -f forward/mydomain.ca.signed
> forward/mydomain.ca <http://mydomain.ca>
>
> As per the howtos I followed years ago, I've provided the domain registrar
> with both DS key records (one key number, two digest algorithms).
>
> mydomain.ca <http://mydomain.ca>. IN DS 20084 8 1
> 42419294EC592BFE044D256126F0420212E4E619
> mydomain.ca <http://mydomain.ca>. IN DS 20084 8 2
> 827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416
mydomain.ca does exist but does not show the warning you describe, so I
suppose you are not telling us the real domain name.
If you want help for your specific domain please follow advice given here:
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
TL;DR post the real domain name.
> In the diagram at DNSVIS.NET <http://DNSVIS.NET>, it looks like the DS
> with alg 1
> is dangling at the top level domain (.ca) with the yellow warning as per
> above,
> while the alg 2 links to my domain's DNSKEY properly.
>
> How should I tidy up this digest algo 1? Do I simply remove it at the
> domain registrar,
> or is there a better way to run dnssec-signzone?
Well _maybe_ you can simply drop the DS algo 1, but we cannot be sure
without checking on the real domain name.
--
Petr Špaček
More information about the bind-users
mailing list