DS keys with 2 digest algorithms
Jan-Piet Mens
list at mens.de
Thu Sep 22 15:45:15 UTC 2022
>Maybe in the future dnssec-signzone won't generate the deprecated entry to
>begin with.
BIND 9.16.0 stopped generating SHA1 digests [1] :
"DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, the CDS records added to a zone by named and dnssec-signzone based on “sync” timing parameters in key files, and the checks performed by dnssec-checkds."
-JP
[1] https://bind9.readthedocs.io/en/v9_16_6/notes.html
More information about the bind-users
mailing list